Edit tour

Windows Analysis Report
8f5WsFcnTc.exe

Overview

General Information

Sample name:	8f5WsFcnTc.exe renamed because original name is a hash value
Original sample name:	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
Analysis ID:	1465436
MD5:	3b1a4595328f7a92df02b7a116bc4f40
SHA1:	cbd3e5a4e18bca01678b6d844ada7764cbd4a209
SHA256:	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8f5WsFcnTc.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\8f5WsFcnTc.exe" MD5: 3B1A4595328F7A92DF02B7A116BC4F40)

name.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\8f5WsFcnTc.exe" MD5: 3B1A4595328F7A92DF02B7A116BC4F40)

RegSvcs.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\8f5WsFcnTc.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

newfile.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

newfile.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8156 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 3B1A4595328F7A92DF02B7A116BC4F40)

RegSvcs.exe (PID: 2528 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 3372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 24 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.jaszredony.hu", "Username": "info@jaszredony.hu", "Password": "jRedony77"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34630:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3474c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34828:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348be:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3494e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34630:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3474c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34828:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348be:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3494e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.2700598845.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: name.exe PID: 7564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 7564	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: name.exe PID: 7564	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7612	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: name.exe PID: 7188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 7188	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: name.exe PID: 7188	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.name.exe.c70000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.name.exe.c70000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.name.exe.c70000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x327be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32830:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x328ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3294c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x329b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32a28:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32abe:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32b4e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.name.exe.c70000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.name.exe.c70000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.name.exe.c70000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.name.exe.c70000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34630:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3474c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34828:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348be:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3494e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.name.exe.1340000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.name.exe.1340000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.name.exe.1340000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.name.exe.1340000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34630:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3474c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34828:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348be:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3494e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.name.exe.1340000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.name.exe.1340000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.name.exe.1340000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x327be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32830:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x328ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3294c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x329b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32a28:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32abe:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32b4e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 8156, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 8156, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.name.exe.c70000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.jaszredony.hu", "Username": "info@jaszredony.hu", "Password": "jRedony77"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: 8f5WsFcnTc.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8f5WsFcnTc.exe

Joe Sandbox ML: detected

Source: 8f5WsFcnTc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 00000005.00000000.1596042636.00000000005B2000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1472055847.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1472200186.0000000003760000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1772007578.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1773003803.00000000034A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1472055847.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1472200186.0000000003760000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1772007578.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1773003803.00000000034A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 00000005.00000000.1596042636.00000000005B2000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D0DBBE
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CDC2A2 FindFirstFileExW,	0_2_00CDC2A2
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D168EE FindFirstFileW,FindClose,	0_2_00D168EE
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D1698F
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D0D076
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D0D3A9
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D19642
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1979D
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D19B2B
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D15C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D15C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0022DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001FC2A2 FindFirstFileExW,	2_2_001FC2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_002368EE FindFirstFileW,FindClose,	2_2_002368EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0023698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0022D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0022D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00239642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00239642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0023979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00239B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00239B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00235C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00235C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.name.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.9:49711 -> 178.238.222.77:26

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 178.238.222.77 178.238.222.77

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: TARHELYHU TARHELYHU

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00D1CE44

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.jaszredony.hu

Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2699629746.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000003.00000002.2703323664.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2699629746.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2703323664.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: name.exe, 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2699629746.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2700598845.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.jaszredony.hu
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2703323664.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2699629746.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: name.exe, 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2703323664.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.name.exe.c70000.1.raw.unpack, SKTzxzsJw.cs	.Net Code: IjRjdEv
Source: 10.2.name.exe.1340000.1.raw.unpack, SKTzxzsJw.cs	.Net Code: IjRjdEv

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D1EAFF

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00D1ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0023ED6A

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

0_2_00D1EAFF

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D0AA57

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00D39576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00259576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00259576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.name.exe.c70000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.name.exe.c70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.name.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.name.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 8f5WsFcnTc.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 8f5WsFcnTc.exe, 00000000.00000003.1455789479.00000000038E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d79847e9-d
Source: 8f5WsFcnTc.exe, 00000000.00000003.1455789479.00000000038E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2473f3c5-0
Source: 8f5WsFcnTc.exe, 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3881cd3d-a
Source: 8f5WsFcnTc.exe, 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_96c47268-a
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000002.00000002.1474022427.0000000000282000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1c63e7ef-9
Source: name.exe, 00000002.00000002.1474022427.0000000000282000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d66bf882-1
Source: name.exe, 0000000A.00000000.1761911549.0000000000282000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_21a7dd21-2
Source: name.exe, 0000000A.00000000.1761911549.0000000000282000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_25ca3c4a-2
Source: 8f5WsFcnTc.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1fc6e983-8
Source: 8f5WsFcnTc.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f80aa5f6-3
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4c727316-5
Source: name.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_09ef644e-8

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D0D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D0D5EB

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D01201

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00D0E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0022E8F6

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D12046	0_2_00D12046
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CA8060	0_2_00CA8060
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D08298	0_2_00D08298
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CDE4FF	0_2_00CDE4FF
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CD676B	0_2_00CD676B
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D34873	0_2_00D34873
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CACAF0	0_2_00CACAF0
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CCCAA0	0_2_00CCCAA0
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CBCC39	0_2_00CBCC39
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CD6DD9	0_2_00CD6DD9
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CA91C0	0_2_00CA91C0
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CBB119	0_2_00CBB119
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC1394	0_2_00CC1394
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC1706	0_2_00CC1706
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC781B	0_2_00CC781B
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC19B0	0_2_00CC19B0
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB997D	0_2_00CB997D
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CA7920	0_2_00CA7920
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC7A4A	0_2_00CC7A4A
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC7CA7	0_2_00CC7CA7
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC1C77	0_2_00CC1C77
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CD9EEE	0_2_00CD9EEE
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D2BE44	0_2_00D2BE44
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC1F32	0_2_00CC1F32
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00F53640	0_2_00F53640
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001CBF40	2_2_001CBF40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00232046	2_2_00232046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C8060	2_2_001C8060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00228298	2_2_00228298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001FE4FF	2_2_001FE4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001F676B	2_2_001F676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00254873	2_2_00254873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001ECAA0	2_2_001ECAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001CCAF0	2_2_001CCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DCC39	2_2_001DCC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001F6DD9	2_2_001F6DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DB119	2_2_001DB119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C91C0	2_2_001C91C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E1394	2_2_001E1394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E1706	2_2_001E1706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E781B	2_2_001E781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001C7920	2_2_001C7920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001D997D	2_2_001D997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E19B0	2_2_001E19B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E7A4A	2_2_001E7A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E1C77	2_2_001E1C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E7CA7	2_2_001E7CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0024BE44	2_2_0024BE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001F9EEE	2_2_001F9EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E1F32	2_2_001E1F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00C63640	2_2_00C63640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02894208	3_2_02894208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0289E750	3_2_0289E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0289B590	3_2_0289B590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02894AD8	3_2_02894AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02893EC0	3_2_02893EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061AC880	3_2_061AC880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061AB25C	3_2_061AB25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B56A0	3_2_061B56A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B6700	3_2_061B6700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B2460	3_2_061B2460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061BC2A0	3_2_061BC2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061BB358	3_2_061BB358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B7E98	3_2_061B7E98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B77B8	3_2_061B77B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061BE4C0	3_2_061BE4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B0040	3_2_061B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B5DF8	3_2_061B5DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06AC3500	3_2_06AC3500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_061B0006	3_2_061B0006
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00A53640	10_2_00A53640

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001E0A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001C9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001E4963 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 001DF9F2 appears 40 times
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: String function: 00CBF9F2 appears 40 times
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: String function: 00CA9CB3 appears 31 times
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: String function: 00CC4963 appears 31 times
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: String function: 00CC0A30 appears 46 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 24

Source: 8f5WsFcnTc.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.name.exe.c70000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.name.exe.c70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.name.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.name.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 2.2.name.exe.c70000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.c70000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@15/18@2/2

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D137B5 GetLastError,FormatMessageW,

0_2_00D137B5

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D010BF AdjustTokenPrivileges,CloseHandle,	0_2_00D010BF
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00D016C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_002210BF AdjustTokenPrivileges,CloseHandle,	2_2_002210BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_002216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_002216C3

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D151CD

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D2A67C

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D1648E

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CA42A2

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2528
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

File created: C:\Users\user\AppData\Local\Temp\autD2CB.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: 8f5WsFcnTc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8f5WsFcnTc.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

File read: C:\Users\user\Desktop\8f5WsFcnTc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8f5WsFcnTc.exe "C:\Users\user\Desktop\8f5WsFcnTc.exe"
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\8f5WsFcnTc.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8f5WsFcnTc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 24
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\8f5WsFcnTc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8f5WsFcnTc.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 8f5WsFcnTc.exe

Static file information: File size 1181696 > 1048576

Source: 8f5WsFcnTc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8f5WsFcnTc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8f5WsFcnTc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8f5WsFcnTc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8f5WsFcnTc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8f5WsFcnTc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8f5WsFcnTc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 00000005.00000000.1596042636.00000000005B2000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1472055847.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1472200186.0000000003760000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1772007578.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1773003803.00000000034A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1472055847.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1472200186.0000000003760000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1772007578.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1773003803.00000000034A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 00000005.00000000.1596042636.00000000005B2000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr

Source: 8f5WsFcnTc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8f5WsFcnTc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8f5WsFcnTc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8f5WsFcnTc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8f5WsFcnTc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF668E push ss; retf	0_2_00CF668F
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF6686 push ss; retf	0_2_00CF6687
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF6682 push ss; retf	0_2_00CF6683
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC0A76 push ecx; ret	0_2_00CC0A89
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF4CE6 push 0000003Eh; iretd	0_2_00CF4CE8
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CAD01B push cs; iretd	0_2_00CAD01E
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB1199 push cs; retf	0_2_00CB119A
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB119C push cs; retf	0_2_00CB11A2
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB124F pushad ; iretd	0_2_00CB1252
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB124D pushad ; iretd	0_2_00CB124E
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB1247 pushad ; iretd	0_2_00CB124A
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB125F pushad ; iretd	0_2_00CB1262
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB1253 pushad ; iretd	0_2_00CB1256
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CB1263 pushad ; iretd	0_2_00CB1266
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF56D8 push eax; iretd	0_2_00CF56DA
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF56E9 push esp; iretd	0_2_00CF56EA
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF57E4 push ebx; iretd	0_2_00CF57FA
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF57E1 push ebx; iretd	0_2_00CF57E2
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF57FC push esi; iretd	0_2_00CF5802
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF1788 push ss; iretd	0_2_00CF1789
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF5788 push eax; iretd	0_2_00CF578A
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF179F push ss; iretd	0_2_00CF17A1
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF5799 push esp; iretd	0_2_00CF579A
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF1797 push ss; iretd	0_2_00CF179D
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF17AC push ss; iretd	0_2_00CF17AD
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF17A8 push ss; iretd	0_2_00CF17A9
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF17A3 push ss; iretd	0_2_00CF17A5
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF57B8 push ebx; iretd	0_2_00CF57CE
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF57B5 push ebx; iretd	0_2_00CF57B6
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF17B0 push ss; iretd	0_2_00CF17B1
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CF5741 push esp; iretd	0_2_00CF5742

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	File created: C:\Users\user\AppData\Local\directory\name.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CBF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00CBF98E
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00D31C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_001DF98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00251C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00251C41

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: name.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 7188, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98241
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: C63264
Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: A53264

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: name.exe, 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, name.exe, 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6684			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1188			Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	API coverage: 4.2 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.5 %

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D0DBBE
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CDC2A2 FindFirstFileExW,	0_2_00CDC2A2
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D168EE FindFirstFileW,FindClose,	0_2_00D168EE
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D1698F
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D0D076
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D0D3A9
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D19642
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1979D
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D19B2B
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D15C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D15C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0022DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001FC2A2 FindFirstFileExW,	2_2_001FC2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_002368EE FindFirstFileW,FindClose,	2_2_002368EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_0023698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0022D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0022D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0022D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00239642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00239642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_0023979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0023979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00239B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00239B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00235C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00235C97

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97106	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95777	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: name.exe, 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: name.exe, 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000003.00000002.2703323664.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_028970C0 CheckRemoteDebuggerPresent,

3_2_028970C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D1EAA2 BlockInput,

0_2_00D1EAA2

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CD2622

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00CC4CE8
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00F534D0 mov eax, dword ptr fs:[00000030h]	0_2_00F534D0
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00F53530 mov eax, dword ptr fs:[00000030h]	0_2_00F53530
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00F51E70 mov eax, dword ptr fs:[00000030h]	0_2_00F51E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E4CE8 mov eax, dword ptr fs:[00000030h]	2_2_001E4CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00C634D0 mov eax, dword ptr fs:[00000030h]	2_2_00C634D0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00C63530 mov eax, dword ptr fs:[00000030h]	2_2_00C63530
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00C61E70 mov eax, dword ptr fs:[00000030h]	2_2_00C61E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00A53530 mov eax, dword ptr fs:[00000030h]	10_2_00A53530
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00A51E70 mov eax, dword ptr fs:[00000030h]	10_2_00A51E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00A534D0 mov eax, dword ptr fs:[00000030h]	10_2_00A534D0

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D00B62

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD2622
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CC083F
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC09D5 SetUnhandledExceptionFilter,	0_2_00CC09D5
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00CC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CC0C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001F2622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_001E083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E09D5 SetUnhandledExceptionFilter,	2_2_001E09D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_001E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_001E0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\directory\name.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 440000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9F5008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 68E008			Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

0_2_00D01201

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CE2BA5

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D0B226 SendInput,keybd_event,

0_2_00D0B226

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D222DA

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8f5WsFcnTc.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

0_2_00D00B62

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D01663

Source: 8f5WsFcnTc.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 8f5WsFcnTc.exe, name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CC0698 cpuid

0_2_00CC0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00D18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D18195

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CFD27A GetUserNameW,

0_2_00CFD27A

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CDB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00CDB952

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Code function: 0_2_00CA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CA42DE

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.name.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2700598845.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 7188, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.name.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 7188, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.name.exe.c70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.1340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2700598845.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 7188, type: MEMORYSTR

Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00D21204
Source: C:\Users\user\Desktop\8f5WsFcnTc.exe	Code function: 0_2_00D21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00D21806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00241204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00241204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00241806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00241806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	221 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 Masquerading	LSA Secrets	841 Security Software Discovery	SSH	3 Clipboard Data	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	351 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8f5WsFcnTc.exe	68%	ReversingLabs	Win32.Trojan.AgentTesla
8f5WsFcnTc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\name.exe	68%	ReversingLabs	Win32.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\newfile\newfile.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://mail.jaszredony.hu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.jaszredony.hu	178.238.222.77	true	true		unknown
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com/CPS0	RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2703323664.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.jaszredony.hu	RegSvcs.exe, 00000003.00000002.2700598845.0000000002A64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	name.exe, 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.2700598845.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000003.00000002.2700598845.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
178.238.222.77	mail.jaszredony.hu	Hungary		43359	TARHELYHU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465436
Start date and time:	2024-07-01 16:33:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8f5WsFcnTc.exe renamed because original name is a hash value
Original Sample Name:	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@15/18@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 55 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target newfile.exe, PID 7884 because it is empty
Execution Graph export aborted for target newfile.exe, PID 8044 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8f5WsFcnTc.exe

Simulations

Behavior and APIs

Time	Type	Description
10:34:20	API Interceptor	39x Sleep call for process: RegSvcs.exe modified
10:34:58	API Interceptor	1x Sleep call for process: WerFault.exe modified
15:34:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
15:34:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
15:34:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	COTIZACI#U00d3N________________________pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
178.238.222.77	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse
	temp.exe	Get hash	malicious	AgentTesla	Browse
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse
	whitegick.exe	Get hash	malicious	AgentTesla	Browse
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.jaszredony.hu	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	temp.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	whitegick.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
ip-api.com	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	COTIZACI#U00d3N________________________pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TARHELYHU	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	temp.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	whitegick.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	178.238.211.25
	#U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	185.51.188.44
	#U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exe	Get hash	malicious	GuLoader	Browse	185.51.188.44
	S#U00d6ZLE#U015eME DEV8759 - pdf.exe	Get hash	malicious	GuLoader	Browse	185.51.188.44
TUT-ASUS	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	COTIZACI#U00d3N________________________pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse
	54dse57Lv7.exe	Get hash	malicious	AgentTesla	Browse
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse
	doc -scan file.exe	Get hash	malicious	AgentTesla	Browse
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	ORDERDATASHEET#PO8738763.scr.exe	Get hash	malicious	AgentTesla, RedLine, SugarDump, XWorm	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	temp.exe	Get hash	malicious	AgentTesla	Browse
	Urgent PO.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_a7e47327-a6cd-4a75-a021-f666aba22f2d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5815587572976134
Encrypted:	false
SSDEEP:	96:NmdFIWrPsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAof/VXT5NHG:mSWrPk0WbkQzuiFuZ24IO8b
MD5:	EF3685F506A65DD8D9F603B7ED7AFED3
SHA1:	8EA3B28E3B7794700919540B22E91BEB614EDCAA
SHA-256:	D689F574899CE7C573CB8B0CC1E5C4FFF3A192F4364CEED91E8E0D1AF44475BD
SHA-512:	1F72A7D3C5DC4D0B7917074395B3AD9040C6C978AD1E947EA8535A7D028AF14C6F4F0F649B83E8F3A9DCD46D50E3B32C6916694365E126BA92F451853DD2BCC8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.1.8.0.8.8.9.2.2.1.4.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.1.8.0.9.3.2.1.9.0.1.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.e.4.7.3.2.7.-.a.6.c.d.-.4.a.7.5.-.a.0.2.1.-.f.6.6.6.a.b.a.2.2.f.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.1.c.3.0.4.7.-.8.7.4.b.-.4.1.b.3.-.9.5.5.7.-.1.0.7.d.a.3.5.c.a.f.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.e.0.-.0.0.0.1.-.0.0.1.4.-.4.f.4.6.-.0.c.d.3.c.3.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.!.R.e.g.S.v.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER645F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8218
Entropy (8bit):	3.6740285190804585
Encrypted:	false
SSDEEP:	192:R6l7wVeJ5f6EQol6Y0o6zhgmfUipx089b8/sf05Um:R6lXJB6m6Yb6zhgmfUU8kfS
MD5:	4099D6DE3B08AE7A9AB418EDA360EF05
SHA1:	307E107EA0C7BBE5BC1A07FF145580AF78F221B0
SHA-256:	7F925966D06C308A0D32284110014A11C14296010D05E8ECEB469FD1FBD48028
SHA-512:	728D4E36E89620F4A6E5D9FDEF9FEF62356C208AD1A1447A0AD5704528B31EF50FBEB35DD1FCF62C5D5EBACD57B550789BA718589AA03C7AF1A8E0BBE989FE74
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER648F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.435218113979675
Encrypted:	false
SSDEEP:	48:cvIwWl8zskJg77aI9+RWpW8VYzuYm8M4JTHFOi+q87mm30ad:uIjfiI7MA7VSJIifm30ad
MD5:	7E44E5DED0810E7B79ECD6242A4AC509
SHA1:	D86CD1010EEAF549BD1F5828B2A4C232703F9E42
SHA-256:	D19DE4CEE7FF56512A75A4DDD3B31B308FF04B059DB5BB8C203540AE63E23B72
SHA-512:	27BFC425C77CF52E49CCCD65D0D065C40CE0D7B14C938F3DD0A5A14142E6A8BCF75ADF9956C7AE9E5D3C8CD3298185FE6DA55F0D9A89D0F9E740B10A05E3D541
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392017" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\WER548F.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4736
Entropy (8bit):	3.2400817835458087
Encrypted:	false
SSDEEP:	96:pwpIi/kXkkX5kuguW40Q10Qe0Qgs0QX00QB0QVU33d3gdXQKszeuzSzbxGQI5/mG:pSlI+u/VWNQDoeyOkNP
MD5:	B6CCF49E4733F54C9F69594D1BE587F3
SHA1:	2C1A1B24E88ED8711C8C8A379CD67EF88202C010
SHA-256:	0A5CB79FE8757B0347C648CE700A255E5D2DC31C93E549A7AA11723E4020DFF3
SHA-512:	1ACC062521ED078B21345ACB79BD62400A656B53D8ED489D9F6E6C406C8B7A118ACF71AEBFE725C9E9C01CD19052973090BD6AD50A83FB00B9A66C2A0E456352
Malicious:	false
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .3.3.1.2. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .9.5.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .3.0.3.1.4.3.3. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

C:\Users\user\AppData\Local\Temp\aut4E06.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	153648
Entropy (8bit):	7.9264848829174195
Encrypted:	false
SSDEEP:	3072:w9JfmIg62LSE9D4/1VQtg7oQu2tcfq/rW+A7KKOMyBkCY24ceGLwh:wLfgv2/N2q7nd/rF9wVh
MD5:	4F05EDB97E7F667D27D4D8704D093E6F
SHA1:	3BD5DDF6FBFE8E3891C24650301F7AE54D3AF854
SHA-256:	EC3FA0AB9956C516AD9CA00DC895926B1A5BFDE5B953C6C481F1E201DDD619FA
SHA-512:	853082AB7C1D6D00D394C8705500DF648B1E1D436824F0178BDE2A95C8812F8A64910F203047C59EBF077A9251C4642B9F470EE10617B919D02A808E9D91BC14
Malicious:	false
Preview:	EA06.......T.VsP.R...7..R.M.5..j.J.U..J...Y.Q.S..\...~....W...U\mg3j.N".[4..^.\h...}5.FfsY,..-.If..,......P...3=...z..v.T.j.T..j5z]>.?..4.sJ.Uk..R..Vg...\I14.eR...j.`....0........'...F......+...3....z.....U....J.4.x.....W.D.].@..<.]....D~.._Z......h.J..0.U....!......^.P.......S.T.c.z.B3+.Q' ..J..........?\|.....B.Mg.Z.f..+.....C.3...!u..l...f.T.=J..M+U.U..W..,T....G..&.......I..u...b....k.).....):.5.9...c.h.U).n...._1..`.Q.-K....f.....P.q._9.6.P.Tv..F[....h3....u.J.T.....\i....^.H......T.....[...%.@.]...Z..l..L..".X.....g.m.....A...~}]5zC..].TZ...A...{...U?.f..l. ....i. ."...E@4....$..(.......s...r...\...0.....) ..fIE...........~.y7.z{P.<;...Y..z4ra..h.U/.K3....5...Oz......[:.li.=J.w.T.Ui.ru@.L.vJ..I..[j...V.L.N..ZLg....8...:...j.?....#...^.......C.K.~x.-.....9[:.Vs..r....S3.V.....8...UY4.....m.y...!...V.:.T.u...2..3j..3.Ug5MUz.9....../.V.4. ..{.....K.P.Q.5...J.T...R.Z.....P..".V.4.....UjT)..V.Eku*\...G.2p....T...=BA..X ....^.3+.....6.

C:\Users\user\AppData\Local\Temp\aut4E46.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9760
Entropy (8bit):	7.600024436682888
Encrypted:	false
SSDEEP:	192:K7U22a8TpvRLbofttdRtxKY1HH6ucjhaEPrSYda9cqrc/Nj+S9P7cP:K7iJ9tofttdzv167jUs701rOS0+
MD5:	CA7B75E636135CE38EA2BFD5A746AFC1
SHA1:	38ABB6ADB25FFA161D2BD5904AC038CC9D37576D
SHA-256:	93B5E47F15F9ACA44A0C46F032B5AA5307A2017C3451D48D6EAF77B69CCA552F
SHA-512:	CBD51D7327BAB2F550E78369717A9C0A9C675E9A5CEC341ADA27ADDD87F13E872D1D21A1AF821AD06EA8AB014035634EE60F2C44EBA57DDD9555441D47540C87
Malicious:	false
Preview:	EA06..p..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........\|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.\|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K\|..c.Mm.@..[..._..p......>Kx#G.o..3\|w...G.4..&@8_..kp..i\|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...\|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

C:\Users\user\AppData\Local\Temp\autD2CB.tmp

Download File

Process:	C:\Users\user\Desktop\8f5WsFcnTc.exe
File Type:	data
Category:	dropped
Size (bytes):	153648
Entropy (8bit):	7.9264848829174195
Encrypted:	false
SSDEEP:	3072:w9JfmIg62LSE9D4/1VQtg7oQu2tcfq/rW+A7KKOMyBkCY24ceGLwh:wLfgv2/N2q7nd/rF9wVh
MD5:	4F05EDB97E7F667D27D4D8704D093E6F
SHA1:	3BD5DDF6FBFE8E3891C24650301F7AE54D3AF854
SHA-256:	EC3FA0AB9956C516AD9CA00DC895926B1A5BFDE5B953C6C481F1E201DDD619FA
SHA-512:	853082AB7C1D6D00D394C8705500DF648B1E1D436824F0178BDE2A95C8812F8A64910F203047C59EBF077A9251C4642B9F470EE10617B919D02A808E9D91BC14
Malicious:	false
Preview:	EA06.......T.VsP.R...7..R.M.5..j.J.U..J...Y.Q.S..\...~....W...U\mg3j.N".[4..^.\h...}5.FfsY,..-.If..,......P...3=...z..v.T.j.T..j5z]>.?..4.sJ.Uk..R..Vg...\I14.eR...j.`....0........'...F......+...3....z.....U....J.4.x.....W.D.].@..<.]....D~.._Z......h.J..0.U....!......^.P.......S.T.c.z.B3+.Q' ..J..........?\|.....B.Mg.Z.f..+.....C.3...!u..l...f.T.=J..M+U.U..W..,T....G..&.......I..u...b....k.).....):.5.9...c.h.U).n...._1..`.Q.-K....f.....P.q._9.6.P.Tv..F[....h3....u.J.T.....\i....^.H......T.....[...%.@.]...Z..l..L..".X.....g.m.....A...~}]5zC..].TZ...A...{...U?.f..l. ....i. ."...E@4....$..(.......s...r...\...0.....) ..fIE...........~.y7.z{P.<;...Y..z4ra..h.U/.K3....5...Oz......[:.li.=J.w.T.Ui.ru@.L.vJ..I..[j...V.L.N..ZLg....8...:...j.?....#...^.......C.K.~x.-.....9[:.Vs..r....S3.V.....8...UY4.....m.y...!...V.:.T.u...2..3j..3.Ug5MUz.9....../.V.4. ..{.....K.P.Q.5...J.T...R.Z.....P..".V.4.....UjT)..V.Eku*\...G.2p....T...=BA..X ....^.3+.....6.

C:\Users\user\AppData\Local\Temp\autD32A.tmp

Download File

Process:	C:\Users\user\Desktop\8f5WsFcnTc.exe
File Type:	data
Category:	dropped
Size (bytes):	9760
Entropy (8bit):	7.600024436682888
Encrypted:	false
SSDEEP:	192:K7U22a8TpvRLbofttdRtxKY1HH6ucjhaEPrSYda9cqrc/Nj+S9P7cP:K7iJ9tofttdzv167jUs701rOS0+
MD5:	CA7B75E636135CE38EA2BFD5A746AFC1
SHA1:	38ABB6ADB25FFA161D2BD5904AC038CC9D37576D
SHA-256:	93B5E47F15F9ACA44A0C46F032B5AA5307A2017C3451D48D6EAF77B69CCA552F
SHA-512:	CBD51D7327BAB2F550E78369717A9C0A9C675E9A5CEC341ADA27ADDD87F13E872D1D21A1AF821AD06EA8AB014035634EE60F2C44EBA57DDD9555441D47540C87
Malicious:	false
Preview:	EA06..p..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........\|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.\|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K\|..c.Mm.@..[..._..p......>Kx#G.o..3\|w...G.4..&@8_..kp..i\|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...\|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

C:\Users\user\AppData\Local\Temp\autD74F.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	153648
Entropy (8bit):	7.9264848829174195
Encrypted:	false
SSDEEP:	3072:w9JfmIg62LSE9D4/1VQtg7oQu2tcfq/rW+A7KKOMyBkCY24ceGLwh:wLfgv2/N2q7nd/rF9wVh
MD5:	4F05EDB97E7F667D27D4D8704D093E6F
SHA1:	3BD5DDF6FBFE8E3891C24650301F7AE54D3AF854
SHA-256:	EC3FA0AB9956C516AD9CA00DC895926B1A5BFDE5B953C6C481F1E201DDD619FA
SHA-512:	853082AB7C1D6D00D394C8705500DF648B1E1D436824F0178BDE2A95C8812F8A64910F203047C59EBF077A9251C4642B9F470EE10617B919D02A808E9D91BC14
Malicious:	false
Preview:	EA06.......T.VsP.R...7..R.M.5..j.J.U..J...Y.Q.S..\...~....W...U\mg3j.N".[4..^.\h...}5.FfsY,..-.If..,......P...3=...z..v.T.j.T..j5z]>.?..4.sJ.Uk..R..Vg...\I14.eR...j.`....0........'...F......+...3....z.....U....J.4.x.....W.D.].@..<.]....D~.._Z......h.J..0.U....!......^.P.......S.T.c.z.B3+.Q' ..J..........?\|.....B.Mg.Z.f..+.....C.3...!u..l...f.T.=J..M+U.U..W..,T....G..&.......I..u...b....k.).....):.5.9...c.h.U).n...._1..`.Q.-K....f.....P.q._9.6.P.Tv..F[....h3....u.J.T.....\i....^.H......T.....[...%.@.]...Z..l..L..".X.....g.m.....A...~}]5zC..].TZ...A...{...U?.f..l. ....i. ."...E@4....$..(.......s...r...\...0.....) ..fIE...........~.y7.z{P.<;...Y..z4ra..h.U/.K3....5...Oz......[:.li.=J.w.T.Ui.ru@.L.vJ..I..[j...V.L.N..ZLg....8...:...j.?....#...^.......C.K.~x.-.....9[:.Vs..r....S3.V.....8...UY4.....m.y...!...V.:.T.u...2..3j..3.Ug5MUz.9....../.V.4. ..{.....K.P.Q.5...J.T...R.Z.....P..".V.4.....UjT)..V.Eku*\...G.2p....T...=BA..X ....^.3+.....6.

C:\Users\user\AppData\Local\Temp\autD899.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9760
Entropy (8bit):	7.600024436682888
Encrypted:	false
SSDEEP:	192:K7U22a8TpvRLbofttdRtxKY1HH6ucjhaEPrSYda9cqrc/Nj+S9P7cP:K7iJ9tofttdzv167jUs701rOS0+
MD5:	CA7B75E636135CE38EA2BFD5A746AFC1
SHA1:	38ABB6ADB25FFA161D2BD5904AC038CC9D37576D
SHA-256:	93B5E47F15F9ACA44A0C46F032B5AA5307A2017C3451D48D6EAF77B69CCA552F
SHA-512:	CBD51D7327BAB2F550E78369717A9C0A9C675E9A5CEC341ADA27ADDD87F13E872D1D21A1AF821AD06EA8AB014035634EE60F2C44EBA57DDD9555441D47540C87
Malicious:	false
Preview:	EA06..p..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........\|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.\|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K\|..c.Mm.@..[..._..p......>Kx#G.o..3\|w...G.4..&@8_..kp..i\|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...\|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

C:\Users\user\AppData\Local\Temp\jailless

Download File

Process:	C:\Users\user\Desktop\8f5WsFcnTc.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5868067007788773
Encrypted:	false
SSDEEP:	384:yJejrk92+feAZBpPlWrqGE7sKJmJEcAgNlLfdxN0/0+TPCLr7HhC:se8E+eAHpPlWrRJEcAgNpzgPcxC
MD5:	2AAA7B7930CDDC427CF97397FAE04C51
SHA1:	3F6D95A1329A2EA064C9427B6139323C3F8EECE5
SHA-256:	72AA831E1CB8286C8FBA0408ABA377DD57717735E326529F950A96A8D36AFACA
SHA-512:	B2540C50E492CDE805B6277BF216A8840CE6061ADC2D37641B5A95279EDDA3A2F4E23DA3DFC5B0964F6B99E0F9BB9BD055BC96A2957DDCE87F3051D74C1AC449
Malicious:	false
Preview:	0k558orp81rppp0200005657o86o00000066894584o96500000066894q86on7200000066895588o86r0000006689458no96500000066894q8pon6p0000006689558ro83300000066894590o93200000066894q92on2r00000066895594o86400000066894596o96p00000066894q98on6p0000006689559n33p06689459po96r00000066898q44sssssson7400000066899546sssssso86400000066898548sssssso96p00000066898q4nsssssson6p0000006689954psssssso82r0000006689854rsssssso96400000066898q50sssssson6p00000066899552sssssso86p00000066898554ssssss33p966898q56sssssson75000000668955q0o873000000668945q2o96500000066894qq4on72000000668955q6o833000000668945q8o93200000066894qqnon2r000000668955qpo864000000668945qro96p00000066894qr0on6p000000668955r233p0668945r4o96100000066898q68sssssson640000006689956nsssssso8760000006689856psssssso96100000066898q6rsssssson7000000066899570sssssso86900000066898572sssssso93300000066898q74sssssson3200000066899576sssssso82r00000066898578sssssso96400000066898q7nsssssson6p0000006689957psssssso86p0000006689857rssssss33p966894q80on73000000668955n0o868

C:\Users\user\AppData\Local\Temp\reindulging

Download File

Process:	C:\Users\user\Desktop\8f5WsFcnTc.exe
File Type:	data
Category:	dropped
Size (bytes):	244736
Entropy (8bit):	6.645349281875858
Encrypted:	false
SSDEEP:	6144:1KFg94PepDRyhZdzanZ50wvLVz4DpxVNKm6ZFxnNIT5P/fXtP9+5v:IW94GpDRKDOnf0ez4LDKmyA3V9+1
MD5:	64365F14BF8C2965CFC7A2CC25EB9C22
SHA1:	F15F3895247EA0CD2373D36C7494885C3B9CB91E
SHA-256:	E63C7D4475AD0D2319C0E49E7E6D16489EC9106D163B0005807E3FDBC013168D
SHA-512:	4D2250C3F85CDAAA1028AD790F2B3E5E1AF568185C58D5B548575E9353F8B929B99BB83B3FE1032B3082EFD5276D4C108028B851A63A8E6AADE49617DDD74D7F
Malicious:	false
Preview:	...LWU9PPKP9..GR.7YQ6ZYJ.TU9PTKP9Y8GR07YQ6ZYJLTU9PTKP9Y8GR07.Q6ZWU.ZU.Y.j.8..f.X^qF(6->58.35%>V-.%7.E,?.37j....=;/5.T5Mv07YQ6ZY..TUuQWKOy?^GR07YQ6Z.JNU^8[TK.:Y8OR07YQ6$.ILTu9PT.S9Y8.R0.YQ6XYJHTU9PTKP=Y8GR07YQ.^YJNTU9PTKR9..GR 7YA6ZYJ\TU)PTKP9Y(GR07YQ6ZYJLx.:P.KP9Y.DRv2YQ6ZYJLTU9PTKP9Y8GR03Y]6ZYJLTU9PTKP9Y8GR07YQ6ZYJLTU9PTKP9Y8GR07YQ6ZYJLTU9PTkP9Q8GR07YQ6ZYJDtU9.TKP9Y8GR07Y.B?!>LTU..WKP.Y8G.37YS6ZYJLTU9PTKP9Y.GRP.+"D9YJL.P9PT.S9Y>GR0.ZQ6ZYJLTU9PTKPyY8.\|BR5>UZYFLTU9PPKP;Y8G.37YQ6ZYJLTU9PT.P9.8GR07YQ6ZYJLTU9P4.S9Y8GRx7YQ4Z\JD.W9tbJP:Y8GS07_Q6ZYJLTU9PTKP9Y8GR07YQ6ZYJLTU9PTKP9Y8GR07YQ6ZYJLI........EyXR0.w.=.I..F..-..6.-.)$...pW.....%R..9.7w..P...?.\P@Q.....'YA91.AuV+.I...vqM.s.T^.#..'x.:S..}........{V%h...8..Z?9e1I)T"\|cV?0D3.H.UU9PT.......^!.lwZER`GA....m?.....HZYJ(TU9"TKPXY8G.07Y>6ZY$LTUGPTK.9Y8.R07.Q6ZnJLTp9PT&P9Y.GR0IYQ6.$EC...9'.9Y8GR...a.7........fH.F.0..R....Q.._<.'z....>..:z.N.'Rvw.SJV=\:@V3;d_}...mVQ=UVLT:U.I...p.\|.u..!..j#.;R07YQ6.YJ.TU9..K.9Y8.R.7..6ZY.T.9.T..Y

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\8f5WsFcnTc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1181696
Entropy (8bit):	6.955417618221877
Encrypted:	false
SSDEEP:	24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aG3n5Bb3dKcuSD:sTvC/MTQYxsWR7ae5/Kcv
MD5:	3B1A4595328F7A92DF02B7A116BC4F40
SHA1:	CBD3E5A4E18BCA01678B6D844ADA7764CBD4A209
SHA-256:	76605D7A013BD7A9974299A201C92360FAEC54E4826E774DDCA35FAE33DAB5BF
SHA-512:	590C07160FD86816573C5C80148C20392A0E2FAA3FA4725F34FFE87B9C65B258E1A39CF744A3F3E4F7F920FB471B24F75ACF35ABEEC56D5A1CBB35B0BE7DA28F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....xf.........."..........X......w.............@..........................`.......M....@...@.......@.....................d...\|....@..L........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...L....@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	266
Entropy (8bit):	3.417598043482351
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclgMsUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlgMsQ1A1z4mA2n
MD5:	101BA0B4EF2B92F815E5087BD9B5B42E
SHA1:	E064699D7A775A592F82434C1AD13A1CEB73ED42
SHA-256:	D229E129C06D8D6B113C3E41C27FBC445976AF919AD7CA470BEF16D0D303783D
SHA-512:	ED38ED876CD047B6BCDD98A3948890C6867A0C37361FE451C0A6C2DD38C7AE75EA55DDC9B360B08831382E7B3CC42E2745DA7081A08AAA0300AD297D30514D5E
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\newfile\newfile.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: v31TgVEtHi.exe, Detection: malicious, Browse Filename: 54dse57Lv7.exe, Detection: malicious, Browse Filename: 001 Tech. Spec pdf.exe, Detection: malicious, Browse Filename: doc -scan file.exe, Detection: malicious, Browse Filename: payment order.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse Filename: ORDERDATASHEET#PO8738763.scr.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse Filename: temp.exe, Detection: malicious, Browse Filename: Urgent PO.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.955417618221877
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8f5WsFcnTc.exe
File size:	1'181'696 bytes
MD5:	3b1a4595328f7a92df02b7a116bc4f40
SHA1:	cbd3e5a4e18bca01678b6d844ada7764cbd4a209
SHA256:	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf
SHA512:	590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f
SSDEEP:	24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aG3n5Bb3dKcuSD:sTvC/MTQYxsWR7ae5/Kcv
TLSH:	E645AE03738D812EFF9B91321A76E23156BC6F270123A55F32D85D7EB9701A5063E6E2
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	6ced8d96b2ace4b2

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6678AACE [Sun Jun 23 23:07:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F1E18EB2363h
jmp 00007F1E18EB1C6Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1E18EB1E4Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1E18EB1E1Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F1E18EB4A0Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F1E18EB4A58h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F1E18EB4A41h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x49d4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x49d4c	0x49e00	7b60e02e213ebf11fb84f5dd962087c1	False	0.7681432423857868	data	7.478684822621651	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/m	English	Great Britain	0.07952797823258015
RT_MENU	0xe4ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xe5048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe55dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe5c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe60f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe66f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe6d50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe71b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe7310	0x364ee	data			1.0003416559524558
RT_GROUP_ICON	0x11d800	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11d814	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11d828	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11d83c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11d850	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x11d95c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 16:34:20.094026089 CEST	49710	80	192.168.2.9	208.95.112.1
Jul 1, 2024 16:34:20.099081993 CEST	80	49710	208.95.112.1	192.168.2.9
Jul 1, 2024 16:34:20.099174976 CEST	49710	80	192.168.2.9	208.95.112.1
Jul 1, 2024 16:34:20.099538088 CEST	49710	80	192.168.2.9	208.95.112.1
Jul 1, 2024 16:34:20.104326010 CEST	80	49710	208.95.112.1	192.168.2.9
Jul 1, 2024 16:34:20.568973064 CEST	80	49710	208.95.112.1	192.168.2.9
Jul 1, 2024 16:34:20.613765001 CEST	49710	80	192.168.2.9	208.95.112.1
Jul 1, 2024 16:34:21.545663118 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:21.552422047 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:21.552633047 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:22.811178923 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:22.811548948 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:22.816392899 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.014241934 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.016508102 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:23.021410942 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.217020035 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.222819090 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:23.229692936 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.433963060 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.434021950 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.434034109 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.434047937 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.434175014 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:23.528855085 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.559345007 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:23.564234018 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.758737087 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.772218943 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:23.777767897 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.971975088 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:23.974436045 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:23.980619907 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:24.174834967 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:24.175241947 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:24.180109024 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:25.907798052 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:25.908222914 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:25.913054943 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:26.108114958 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:26.109525919 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:34:26.109591007 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:26.118097067 CEST	49711	26	192.168.2.9	178.238.222.77
Jul 1, 2024 16:34:26.123286963 CEST	26	49711	178.238.222.77	192.168.2.9
Jul 1, 2024 16:35:11.489381075 CEST	49710	80	192.168.2.9	208.95.112.1
Jul 1, 2024 16:35:11.496515989 CEST	80	49710	208.95.112.1	192.168.2.9
Jul 1, 2024 16:35:11.496679068 CEST	49710	80	192.168.2.9	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 16:34:20.049165010 CEST	53572	53	192.168.2.9	1.1.1.1
Jul 1, 2024 16:34:20.085066080 CEST	53	53572	1.1.1.1	192.168.2.9
Jul 1, 2024 16:34:21.477719069 CEST	50710	53	192.168.2.9	1.1.1.1
Jul 1, 2024 16:34:21.544591904 CEST	53	50710	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 16:34:20.049165010 CEST	192.168.2.9	1.1.1.1	0x1823	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 16:34:21.477719069 CEST	192.168.2.9	1.1.1.1	0xe7ce	Standard query (0)	mail.jaszredony.hu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 16:34:20.085066080 CEST	1.1.1.1	192.168.2.9	0x1823	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 1, 2024 16:34:21.544591904 CEST	1.1.1.1	192.168.2.9	0xe7ce	No error (0)	mail.jaszredony.hu		178.238.222.77	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49710	208.95.112.1	80	7612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 16:34:20.099538088 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 1, 2024 16:34:20.568973064 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 14:34:20 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	10:34:15
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\8f5WsFcnTc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8f5WsFcnTc.exe"
Imagebase:	0xca0000
File size:	1'181'696 bytes
MD5 hash:	3B1A4595328F7A92DF02B7A116BC4F40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:34:16
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8f5WsFcnTc.exe"
Imagebase:	0x1c0000
File size:	1'181'696 bytes
MD5 hash:	3B1A4595328F7A92DF02B7A116BC4F40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1474396665.0000000000C70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:34:18
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8f5WsFcnTc.exe"
Imagebase:	0x6d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2698924544.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2700598845.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2700598845.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:34:30
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x5b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:34:30
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:34:38
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x980000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:34:38
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:34:46
Start date:	01/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff6bca20000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:34:47
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x1c0000
File size:	1'181'696 bytes
MD5 hash:	3B1A4595328F7A92DF02B7A116BC4F40
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000A.00000002.1774487883.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:34:48
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x440000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:34:48
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 24
Imagebase:	0xb0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	52

Executed Functions

Function 00CA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CA430D

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

GetCurrentProcess.KERNEL32(?,00D3CB64,00000000,?,?), ref: 00CA4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00CA4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00CA4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CA4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00CA4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CA447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00CA44A0

Strings

GetNativeSystemInfo, xrefs: 00CA4460
kernel32.dll, xrefs: 00CA444F
|O, xrefs: 00CE36F8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 567128170a557ce9e7456b261e16ec9ad56ea7ac1bd90cb97b237dc007736731
Instruction ID: 7daf463096d3fe05b5a96b5a660e5c2827013d1bbd0124c06e19a44fdc6e7310
Opcode Fuzzy Hash: 567128170a557ce9e7456b261e16ec9ad56ea7ac1bd90cb97b237dc007736731
Instruction Fuzzy Hash: 64A1F37A91A3C0CFC715CB7E7C451A57FA47B67304B085A9AE08DD7BA2F2604688DB31

Function 00CA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CA50AA,?,?,00000000,00000000), ref: 00CA42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CA50AA,?,?,00000000,00000000), ref: 00CA42C9
LoadResource.KERNEL32(?,00000000,?,?,00CA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CA4F20), ref: 00CE35BE
SizeofResource.KERNEL32(?,00000000,?,?,00CA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CA4F20), ref: 00CE35D3
LockResource.KERNEL32(00CA50AA,?,?,00CA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CA4F20,?), ref: 00CE35E6

Strings

SCRIPT, xrefs: 00CA42BF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3d9c1951c1989699f48eab2a8ee3bd5c8681c24d2c16f7afdf057dc5ed975762
Instruction ID: 16cdc337e22fae8ca31e96f1b14659934c6ecc9cfb362e20642e4bc8e7e1a4a8
Opcode Fuzzy Hash: 3d9c1951c1989699f48eab2a8ee3bd5c8681c24d2c16f7afdf057dc5ed975762
Instruction Fuzzy Hash: 80118E75240701BFD7258B65DC48F277BB9EBC6B55F104269F412EA250DBB1DD008730

Function 00CE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00CA2B6B

Part of subcall function 00CA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D71418,?,00CA2E7F,?,?,?,00000000), ref: 00CA3A78

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D62224), ref: 00CE2C10
ShellExecuteW.SHELL32(00000000,?,?,00D62224), ref: 00CE2C17

Strings

runas, xrefs: 00CE2C0B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 93c1224f00aebac3c1b0cb81badc2f477f7a781987e5bba8965f65700f9b63b1
Instruction ID: 14a410c24147b5da4991358393bb32eef250b34925ec1ba647e6ca82c9dd0c20
Opcode Fuzzy Hash: 93c1224f00aebac3c1b0cb81badc2f477f7a781987e5bba8965f65700f9b63b1
Instruction Fuzzy Hash: 7F11B4312083835BC714FF68E8669BE77A49B9335CF44552DF057521A2DF208A4AA732

Function 00D0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00CE5222), ref: 00D0DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00D0DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00D0DBEE
FindClose.KERNEL32(00000000), ref: 00D0DBFA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 72101fbcc153c051422b1d5290610a1d9178e43264c8eedae0f70726e1a0288f
Instruction ID: 99e105c7f183cf2045e32cf12e286e5c5438b736e4e211dd8a9b3975ad87a8a6
Opcode Fuzzy Hash: 72101fbcc153c051422b1d5290610a1d9178e43264c8eedae0f70726e1a0288f
Instruction Fuzzy Hash: EEF0A73142062057D2206BB89C0D56F3B7D9E05334B144703F879D11E0EBB0595486BD

Function 00CAD731 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CAD807
timeGetTime.WINMM ref: 00CADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CADB28
TranslateMessage.USER32(?), ref: 00CADB7B
DispatchMessageW.USER32(?), ref: 00CADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CADB9F
Sleep.KERNEL32(0000000A), ref: 00CADBB1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 90f0809d0d05c95599dcce83ae768eb86f6f8f2ba8b1a24c8dab4a61e8f19389
Instruction ID: f0e7da320600481fb9aeb052921aca58a0bbcdba6e2d8dfd62aac1f8a5fadfce
Opcode Fuzzy Hash: 90f0809d0d05c95599dcce83ae768eb86f6f8f2ba8b1a24c8dab4a61e8f19389
Instruction Fuzzy Hash: A242D130608346DFD768CF25C884BBAB7E0BF46318F144619E967876A1D770E984DBA3

Function 00CA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CA2D07
RegisterClassExW.USER32(00000030), ref: 00CA2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CA2D42
InitCommonControlsEx.COMCTL32(?), ref: 00CA2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CA2D6F
LoadIconW.USER32(000000A9), ref: 00CA2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CA2D94

Strings

+, xrefs: 00CA2CF0
TaskbarCreated, xrefs: 00CA2D37
AutoIt v3 GUI, xrefs: 00CA2D23
0, xrefs: 00CA2CE9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 13ff7899c5ff3461d3ec67ffec0fc217f0ad6f1c379808fad1ed9d318440c1d0
Instruction ID: 1611533b31fd5b976eaf2a4497ea232bef6b2c5f60b6251900ac8bdfd1ecc788
Opcode Fuzzy Hash: 13ff7899c5ff3461d3ec67ffec0fc217f0ad6f1c379808fad1ed9d318440c1d0
Instruction Fuzzy Hash: 8E21E7B9911309AFDB00DFA8E849BDDBBB4FB08700F10521AEA15F6390E7B145448FA0

Function 00CE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00CE0704,?,?,00000000,?,00CE0704,00000000,0000000C), ref: 00CE03B7

GetLastError.KERNEL32 ref: 00CE076F
__dosmaperr.LIBCMT ref: 00CE0776
GetFileType.KERNELBASE(00000000), ref: 00CE0782
GetLastError.KERNEL32 ref: 00CE078C
__dosmaperr.LIBCMT ref: 00CE0795
CloseHandle.KERNEL32(00000000), ref: 00CE07B5
CloseHandle.KERNEL32(?), ref: 00CE08FF
GetLastError.KERNEL32 ref: 00CE0931
__dosmaperr.LIBCMT ref: 00CE0938

Strings

H, xrefs: 00CE08BD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 287cec263b0eb354977916f226bb563c9eccfe30e7a29fbab20e4ac96cfd789a
Instruction ID: 915c3f220dff9d35e70168e6f3c222c6fe255576b369fd69b104543b1706c0f8
Opcode Fuzzy Hash: 287cec263b0eb354977916f226bb563c9eccfe30e7a29fbab20e4ac96cfd789a
Instruction Fuzzy Hash: 19A13732A002848FDF19AF68D851BAE7BA1AB06320F24015DF815EB3D1D7719D93DBA1

Function 00CA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D71418,?,00CA2E7F,?,?,?,00000000), ref: 00CA3A78

Part of subcall function 00CA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CA3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CA356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CE318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CE31CE
RegCloseKey.ADVAPI32(?), ref: 00CE3210
_wcslen.LIBCMT ref: 00CE3277
_wcslen.LIBCMT ref: 00CE3286

Strings

Include, xrefs: 00CE3184, 00CE31C5
\Include\, xrefs: 00CA3527
\, xrefs: 00CE328C
Software\AutoIt v3\AutoIt, xrefs: 00CA3560

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0e3cf9bb7fe930c7f79143968e93d75914d201eb56d0c9f409f9d79a83b1236d
Instruction ID: 9b198f330af10d291e6cac08757f8afcc3cd607650009b6d93e7e209fef4696b
Opcode Fuzzy Hash: 0e3cf9bb7fe930c7f79143968e93d75914d201eb56d0c9f409f9d79a83b1236d
Instruction Fuzzy Hash: 8571A1714043819EC304EF65DC869ABBBE8FF85354F40482EF589D72A1EB749A88DB71

Function 00CA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CA2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00CA2B9D
LoadIconW.USER32(00000063), ref: 00CA2BB3
LoadIconW.USER32(000000A4), ref: 00CA2BC5
LoadIconW.USER32(000000A2), ref: 00CA2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CA2BEF
RegisterClassExW.USER32(?), ref: 00CA2C40

Part of subcall function 00CA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00CA2D07
Part of subcall function 00CA2CD4: RegisterClassExW.USER32(00000030), ref: 00CA2D31
Part of subcall function 00CA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CA2D42
Part of subcall function 00CA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00CA2D5F
Part of subcall function 00CA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CA2D6F
Part of subcall function 00CA2CD4: LoadIconW.USER32(000000A9), ref: 00CA2D85
Part of subcall function 00CA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CA2D94

Strings

AutoIt v3, xrefs: 00CA2C2F
#, xrefs: 00CA2C16
0, xrefs: 00CA2C0F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 62b08dd94e092f6bcbf6b99c9bc68b36ab19facfd9cdecf4b6d6fd368d8f3102
Instruction ID: fd8648db7f8c348b520a83cec27cc8d4b4705b30a5c3794adb7e19eca370a7c7
Opcode Fuzzy Hash: 62b08dd94e092f6bcbf6b99c9bc68b36ab19facfd9cdecf4b6d6fd368d8f3102
Instruction Fuzzy Hash: 77212CB9E10314ABDB109FA9EC56B9D7FB4FB48B50F10411AF508E67A0E7B15584CFA0

Function 00CA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00CA316A,?,?), ref: 00CA31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00CA316A,?,?), ref: 00CA3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CA3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00CA316A,?,?), ref: 00CA3232
CreatePopupMenu.USER32 ref: 00CA3246
PostQuitMessage.USER32(00000000), ref: 00CA3267

Strings

TaskbarCreated, xrefs: 00CA322D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 311a55d582a104fbea8fdfbf186e1ffcfad8ae9d77e6378ee0395d68535b5c3e
Instruction ID: e687aa99a59146e4452019a33a07ee454b27fc6dd5b33ebd11b6ba0829319a59
Opcode Fuzzy Hash: 311a55d582a104fbea8fdfbf186e1ffcfad8ae9d77e6378ee0395d68535b5c3e
Instruction Fuzzy Hash: DC412739250386ABDB151B7C9C2EB7D3A19E747348F040315FA2AD63E2E7618B40D7B1

Function 00CD8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f404b8cad575d6617be695cd8dc4377021e9c37ce4e3efda76a69909a84859e
Instruction ID: 7ad4634c29ee09b0e1567b25c6a49b4a74889a14bf3122b298d67340912cfc0f
Opcode Fuzzy Hash: 7f404b8cad575d6617be695cd8dc4377021e9c37ce4e3efda76a69909a84859e
Instruction Fuzzy Hash: AFC1D478E04349AFDB11DFA8D841BADBFB1EF0D310F14419AE629A7392C7349A41DB61

Function 00F50920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F50965

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 438ae1864eb03bf5ef6ec67ef774b5f9a2d7e1bc9fadd26638867beb7fc7b49f
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: DB51F776A50208FBEF20DFB4CC49FDE7778AF48711F108554FA0AEA280DA749A459B60

Function 00CA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CA2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CA2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CA1CAD,?), ref: 00CA2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CA1CAD,?), ref: 00CA2CCF

Strings

AutoIt v3, xrefs: 00CA2C89, 00CA2C8E, 00CA2C8F
edit, xrefs: 00CA2CAC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dcb022980bea03d569288eb51f73eda80ef56eb36c50282fcb72ac2d29eda040
Instruction ID: 934f8234dbc14a1fd1feb8f02a986a2c6eefb233be447ee9fa665208bdae47de
Opcode Fuzzy Hash: dcb022980bea03d569288eb51f73eda80ef56eb36c50282fcb72ac2d29eda040
Instruction Fuzzy Hash: 3CF0DA795503A07AEB31176BAC09F773EBDD7C6F50F01515AF908E27A0E6611890DEB0

Function 00D12947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D12C05
DeleteFileW.KERNEL32(?), ref: 00D12C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D12C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D12CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D12CC0

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 650b1f6561c86c02e5004f4cb6c76a5f4b890e996cfd1c5c643091db9795e64c
Instruction ID: 76ffd07998001f5910d26348173bb80dd025bb16cc9228c8f25ea7439038fea1
Opcode Fuzzy Hash: 650b1f6561c86c02e5004f4cb6c76a5f4b890e996cfd1c5c643091db9795e64c
Instruction Fuzzy Hash: 35B16D71900119BBDF21DBA4DD85EEEB7BDEF09350F0040AAF609E6141EA319A949FB0

Function 00F523B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F522A0: Sleep.KERNELBASE(000001F4), ref: 00F522B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F524F7

Strings

ZYJLTU9PTKP9Y8GR07YQ6, xrefs: 00F52577, 00F5257A

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateFileSleep
String ID: ZYJLTU9PTKP9Y8GR07YQ6
API String ID: 2694422964-2099169911
Opcode ID: 26b1d4384a3d88f97a80fc3615d0b392e07d0e5610a19a6c87085f19239739d9
Instruction ID: 3847b1c25880ad181fac9f63e25bdb2948a047ec8792b6c9363e49d41548dcc3
Opcode Fuzzy Hash: 26b1d4384a3d88f97a80fc3615d0b392e07d0e5610a19a6c87085f19239739d9
Instruction Fuzzy Hash: 5661B230D04248DBEF11DBB4C854BEEBBB9AF19305F044199E608BB2C0D6B91B49CB66

Function 00CA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00CA3B0F,SwapMouseButtons,00000004,?), ref: 00CA3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00CA3B0F,SwapMouseButtons,00000004,?), ref: 00CA3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00CA3B0F,SwapMouseButtons,00000004,?), ref: 00CA3B83

Strings

Control Panel\Mouse, xrefs: 00CA3B3E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0aa221730c27bd8f5516bc6ddce5f0d8f3a55824b4476226ea3ad2638ddfd241
Instruction ID: 4a83c00bd1c8bf4384e12433d51a38e91afa87ee58cddcb96c8222704af525c1
Opcode Fuzzy Hash: 0aa221730c27bd8f5516bc6ddce5f0d8f3a55824b4476226ea3ad2638ddfd241
Instruction Fuzzy Hash: 19112AB5521249FFDB208FA5EC99AAEB7B9EF05748B104459B805E7210D3319F409770

Function 00CADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00CF32B7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3ce9648207678bc6d63a785bfc9a0665cacef256c9e62c778b67e7d6abbcb486
Instruction ID: 60c56abfd251662a5d1567ca6cb1081368398b6782ad0e8fbe20cc93f880487b
Opcode Fuzzy Hash: 3ce9648207678bc6d63a785bfc9a0665cacef256c9e62c778b67e7d6abbcb486
Instruction Fuzzy Hash: E0C2A071E00216DFCB24CF58C880AADB7B1FF4A318F248559E915AB3A1D375EE41DBA1

Function 00CA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CE33A2

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CA3A04

Strings

Line: , xrefs: 00CE33EB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 256aea2ffe7e512705de79d69950e580eda5b7df7f5290fe5f46f2971e04804a
Instruction ID: 6b343658e39a09eb598346af34bacafc2d8f326851dd289bc0fe10e913fb22eb
Opcode Fuzzy Hash: 256aea2ffe7e512705de79d69950e580eda5b7df7f5290fe5f46f2971e04804a
Instruction Fuzzy Hash: 5931F671408341AFC721EB64DC56FEBB7E8AB41318F00461EF499931A1EB709B49D7D2

Function 00CBFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CC0668

Part of subcall function 00CC32A4: RaiseException.KERNEL32(?,?,?,00CC068A,?,00D71444,?,?,?,?,?,?,00CC068A,00CA1129,00D68738,00CA1129), ref: 00CC3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00CC0685

Strings

Unknown exception, xrefs: 00CC0692

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0fdb1bb6129c9da020d37375f4a286b4b1eda81a80ae787485337fbe19a3951f
Instruction ID: b5dc62cbdae627264de5b3ce80366b5032d589ac00861a7c3a469a1bf82c604c
Opcode Fuzzy Hash: 0fdb1bb6129c9da020d37375f4a286b4b1eda81a80ae787485337fbe19a3951f
Instruction Fuzzy Hash: D8F04F3490020DB78F04BAB5EC4AE9E7B6C5E40350F70853DF92496692EF71DB6AA690

Function 00F51000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F51045
ExitProcess.KERNEL32(00000000), ref: 00F51064

Strings

D, xrefs: 00F51011

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction ID: 905a79932842f65ccf15203f464157c1dbc82b1f03a484ec5f78d8d7ec09ec32
Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
Instruction Fuzzy Hash: F9F0FF7294024CABDB60EFE0CD49FEE777CBF04701F148508FB0A9A180EA7896489B61

Function 00D13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D1302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D13044

Strings

aut, xrefs: 00D13038

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cdea82cefd5bbaeecf39b68d0c2851d9d6ae26db6997c9ac8ab201129811d637
Instruction ID: e637c6d61a73a2ba9effc98ebd82e63ab9f1a8bf225b0146c120a43be6eda844
Opcode Fuzzy Hash: cdea82cefd5bbaeecf39b68d0c2851d9d6ae26db6997c9ac8ab201129811d637
Instruction Fuzzy Hash: 9BD05E765003286BDA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2191DAB0D984CBE4

Function 00D27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00D282F5
TerminateProcess.KERNEL32(00000000), ref: 00D282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00D284DD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 24fa707e6774b2fbfe310c5597e4526b679716cdeb9062c7d15c4218b3250507
Instruction ID: 1f0e5bdca0f9c97bcad08973725bd508213d545e5cb9b19edd602436146671ad
Opcode Fuzzy Hash: 24fa707e6774b2fbfe310c5597e4526b679716cdeb9062c7d15c4218b3250507
Instruction Fuzzy Hash: 2B127C719083519FC714DF28D484B6ABBE1FF95318F08895DE8998B352CB31ED46CBA2

Function 00CD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba0f9cca0961138c3b38f2b6b6749277339ce4a1add734961d58211cc8d81e5
Instruction ID: 6e16bb98a17799c2fb3ec33db8af8355502f5fd34c16f5b9edfcadac0a8ed2b0
Opcode Fuzzy Hash: cba0f9cca0961138c3b38f2b6b6749277339ce4a1add734961d58211cc8d81e5
Instruction Fuzzy Hash: 2D51EF75D10609AFDB209FA5C885FAEBFB8AF49310F14005FF615A7391D7718A02EB61

Function 00CA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CA1BF4
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CA1BFC
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CA1C07
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CA1C12
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CA1C1A
Part of subcall function 00CA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CA1C22

Part of subcall function 00CA1B4A: RegisterWindowMessageW.USER32(00000004,?,00CA12C4), ref: 00CA1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CA136A
OleInitialize.OLE32 ref: 00CA1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CE24AB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2272a2c3909c30b5bbe0bac8a0e03017cccb708182b7b659ce58ebbf39124178
Instruction ID: 54032aad866597610aa886c5944869049180585a9c3074a6d1aabb101b0a6b9b
Opcode Fuzzy Hash: 2272a2c3909c30b5bbe0bac8a0e03017cccb708182b7b659ce58ebbf39124178
Instruction Fuzzy Hash: C07199BC9213019EC388EF7DA8466993AF5FB89348B58832A940ED7361FB304484DF71

Function 00CA54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00CA556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00CA557D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 01b49185336fbaf8f6fdd9e949e52c30821bff2df30d8648025d4d6fc7cd94bf
Instruction ID: 38b698a00f03c3b26074ce7f48c0a7abdc7ef5c5a86912c2a6657f00e3af2553
Opcode Fuzzy Hash: 01b49185336fbaf8f6fdd9e949e52c30821bff2df30d8648025d4d6fc7cd94bf
Instruction Fuzzy Hash: DF315D71A00A0AFFDB14CF68C880B99B7B6FB48718F14C629E91997240D771FE94DB90

Function 00CD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00CD85CC,?,00D68CC8,0000000C), ref: 00CD8704
GetLastError.KERNEL32(?,00CD85CC,?,00D68CC8,0000000C), ref: 00CD870E
__dosmaperr.LIBCMT ref: 00CD8739

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: b66575f25cf9d80adb10f1e21809c4085fa74e9dba93cd07b2b691f3933cf16b
Instruction ID: 09dc2cca28b36c94b2bff036bf9c6288d960e780a01e005f3f3872c3d69718f1
Opcode Fuzzy Hash: b66575f25cf9d80adb10f1e21809c4085fa74e9dba93cd07b2b691f3933cf16b
Instruction Fuzzy Hash: 3001613360576026D6246734A845B7E6B498F81774F39011FFB28DB3E2DEB0CDC69260

Function 00D12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00D12CD4,?,?,?,00000004,00000001), ref: 00D12FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D13006
CloseHandle.KERNEL32(00000000,?,00D12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D1300D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d75501e1a22511488c282aeff694c26a350b3267da113929c53ac32e89ef18a3
Instruction ID: bbe13a0aee2852dc3e6d732f7c61c7ccc979b789dc4d66c62996652b7ff17fd6
Opcode Fuzzy Hash: d75501e1a22511488c282aeff694c26a350b3267da113929c53ac32e89ef18a3
Instruction Fuzzy Hash: 6EE0863269131077D2301755BC0DFCB3A5CD78AB71F104210F719B51D046A0550153B8

Function 00CB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CB17F6

Strings

CALL, xrefs: 00CB17C6

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a438da23fe879d8f27b23ee614df692a723209a847e9e37ee95971194ef0e3f9
Instruction ID: 614b49d53bf130771da19a123a7ff1aad2400a89132f6e4faedae1c73197fd93
Opcode Fuzzy Hash: a438da23fe879d8f27b23ee614df692a723209a847e9e37ee95971194ef0e3f9
Instruction Fuzzy Hash: 6622AB706083419FC714CF25C8A0AAABBF1FF85314F68891DF9968B3A1D731E945DB92

Function 00D16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D16F6B

Part of subcall function 00CA4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00D16F5A, 00D16F63

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: ba6453cb937b469239d35622e38b78759727587dda7152b5c2550b438091e769
Instruction ID: a92f29eb60fa0760139586e2d5dd59a9725842996e251ecc8d63f302c9463d1f
Opcode Fuzzy Hash: ba6453cb937b469239d35622e38b78759727587dda7152b5c2550b438091e769
Instruction Fuzzy Hash: A5B180315082029FCB14EF24D8919AEB7F5BF95304F04891DF496872A2DF30ED89DBA2

Function 00CA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CE2C8C

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

Part of subcall function 00CA2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CA2DC4

Strings

X, xrefs: 00CE2C5A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 0f9d3798246b517a842a8df4b55cf9828519ec9f9e7e7ea231f2f22d031ba133
Instruction ID: 94154f4a640e1a4af54b232b5783fc2c9544b9fe45d30c3f3234b6446dba0140
Opcode Fuzzy Hash: 0f9d3798246b517a842a8df4b55cf9828519ec9f9e7e7ea231f2f22d031ba133
Instruction Fuzzy Hash: CB219371A002989BDB05DF99C845BEE7BFCAF49308F004059E505F7341DBB49A899BA1

Function 00D12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D12587

Strings

EA06, xrefs: 00D125B9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 712d8b101d7cf73b4b654876cdeea894865cf68b8b905bd095951be20993ca19
Instruction ID: 9865faf2078b55f16e22ed3f31266f27e9575bbb89d4eb0819a380c0d8c6eb79
Opcode Fuzzy Hash: 712d8b101d7cf73b4b654876cdeea894865cf68b8b905bd095951be20993ca19
Instruction Fuzzy Hash: F501B5729442587EEF28C7A8C856FFEBBF89B05301F00455EE192D21C1E5B5E6189B60

Function 00CA3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CA3908

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2bedd2593384fb7d197e07a807c869b3ee78789daca2241a310edf1c12046245
Instruction ID: 340dacf86898e224f3e3c9b0d030e95968ca23ab199fc56772e5d2a25eed2789
Opcode Fuzzy Hash: 2bedd2593384fb7d197e07a807c869b3ee78789daca2241a310edf1c12046245
Instruction Fuzzy Hash: 383180705043419FD720DF64D895797BBE8FB49708F00092EF599D7390E775AA44CB62

Function 00CA5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00CA949C,?,00008000), ref: 00CA5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00CA949C,?,00008000), ref: 00CE4052

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac80a9ab2b6d599835fdea28b5749895f34a3f4b828f685e401d1fee68a4508c
Instruction ID: af12e4e60163be3c64bee3292c657f50ff8fa0c5612c875cb9659b16d2e0331a
Opcode Fuzzy Hash: ac80a9ab2b6d599835fdea28b5749895f34a3f4b828f685e401d1fee68a4508c
Instruction Fuzzy Hash: 19015231145325BAE3315A2ADC0EF977F98EF067B4F14C310BAACAA1E0D7B45954DB90

Function 00CA6E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00CA9879,?,?,?), ref: 00CA6E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00CA9879,?,?,?), ref: 00CA6E69

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 2acab0a1ec8cc11bddbd3a18b9176b995728f99e5e1b63753016c01e38bcd159
Instruction ID: 4a9e5df6da3c32ecba72d9a6f3ded9234a3fefc349228a204cac2905b1e7efd5
Opcode Fuzzy Hash: 2acab0a1ec8cc11bddbd3a18b9176b995728f99e5e1b63753016c01e38bcd159
Instruction Fuzzy Hash: DA01D4713002017FEB196BB99C0BF7F7AADDB85300F14003DB106DA2E1E960AD00A630

Function 00F51070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00F508E0: GetFileAttributesW.KERNELBASE(?), ref: 00F508EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00F5119F

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 5468e61e16de3a673499f63b67702db3409f66859a3166e7a959fa09b0ce8f4e
Instruction ID: cf3d81d9180ce80da999699f2badbbfb5d41356cf4c2035d102b229c975e6fbf
Opcode Fuzzy Hash: 5468e61e16de3a673499f63b67702db3409f66859a3166e7a959fa09b0ce8f4e
Instruction Fuzzy Hash: 49518731A1020997DF14EFA0CD55BEF7379EF58301F0045A9AA09E7180EB79AB48CBA5

Function 00CA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E9C
Part of subcall function 00CA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CA4EAE
Part of subcall function 00CA4E90: FreeLibrary.KERNEL32(00000000,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EFD

Part of subcall function 00CA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E62
Part of subcall function 00CA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CA4E74
Part of subcall function 00CA4E59: FreeLibrary.KERNEL32(00000000,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E87

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 67b6f3ed7be25d5621f7666420ef07018edbb46c2c53fbc7c0078e0656aad168
Instruction ID: 9912364e94fa306e3394ebb9f403862c877fcd44b19db9d21a481c6ffdf86861
Opcode Fuzzy Hash: 67b6f3ed7be25d5621f7666420ef07018edbb46c2c53fbc7c0078e0656aad168
Instruction Fuzzy Hash: F811E732610206AECB18ABA5DC06FADB7A59F81714F20842DF552B71C1DEB1AE45A760

Function 00CD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CD8440

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 517608472ca71d8fd715736d144a4877f4f8d7f6c3065a3a28b6688149758821
Instruction ID: f849ac841ef32f91c291cdda71be5466d358a1e651e9b4b61425ea5d1722ad05
Opcode Fuzzy Hash: 517608472ca71d8fd715736d144a4877f4f8d7f6c3065a3a28b6688149758821
Instruction Fuzzy Hash: 8511187590420AAFCB05DF58E941A9F7BF5FF48314F10405AF918AB312DB31EA15CBA5

Function 00CA9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00CA543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00CA9A9C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4523321820cca985d3b08c57969afeeeb43e61538b63eef6175e4de3bc815e15
Instruction ID: b7d85d16fbcd4e982ddda5bdeaab7a851b51402d3863e3aea280a9c12d8287a1
Opcode Fuzzy Hash: 4523321820cca985d3b08c57969afeeeb43e61538b63eef6175e4de3bc815e15
Instruction Fuzzy Hash: D0114C312047069FD720CF16C882BA6B7F9EF45758F14C42EE5AB86651C770AD45EB60

Function 00CD5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CD4C7D: RtlAllocateHeap.NTDLL(00000008,00CA1129,00000000,?,00CD2E29,00000001,00000364,?,?,?,00CCF2DE,00CD3863,00D71444,?,00CBFDF5,?), ref: 00CD4CBE

_free.LIBCMT ref: 00CD506C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 8027b9d558863091732c92e195847d1970dedc5b1329384418793bec94e9ee61
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: AC0126722047046BE3218E659881A5AFBECFB89370F25051EE294833C0EA30A905C6B4

Function 00CCE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 93ab542fed98b12c4feb0f467adf10fce37e101716b445e7020471521c490bcf
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2EF0F432521A18D7C6313A7ACC05F9A339C9F63330F10072EF621922D2DB74E906A6A5

Function 00CA9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA9CBD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e5ae0284a8e1c74d5c21a40028d27b23a0e0331802692773227312db900d97bb
Instruction ID: 503601a6138ceeda759ba81596cee130d77739bdfa83048d0eae1757846647b1
Opcode Fuzzy Hash: e5ae0284a8e1c74d5c21a40028d27b23a0e0331802692773227312db900d97bb
Instruction Fuzzy Hash: 16F0C8B36006116ED7149F39DC07FA7BB98EB44760F10852EF619CB2D1DB31E51097A0

Function 00CD4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00CA1129,00000000,?,00CD2E29,00000001,00000364,?,?,?,00CCF2DE,00CD3863,00D71444,?,00CBFDF5,?), ref: 00CD4CBE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6fb95648a456e4b801c73f792273babacaff3b658f407f29a64b62eda623f0be
Instruction ID: 9ff0f6fa4f846b7597f77e728e944781f53545768b99ccd6d2f1a1bc6d619227
Opcode Fuzzy Hash: 6fb95648a456e4b801c73f792273babacaff3b658f407f29a64b62eda623f0be
Instruction Fuzzy Hash: 7DF0E93172222467DB295F66DC05F5A3789BFD17A1B15811BFB29EA380CB70D90196E0

Function 00CD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bbffe3c9b4482090ee36f780f49a80b90c1cf6d0250ad88ed9aaf8c380e65da
Instruction ID: 3c18f9799b70245a11804a227fcb8014105e5330f95af80cd13a3ed9c8137507
Opcode Fuzzy Hash: 9bbffe3c9b4482090ee36f780f49a80b90c1cf6d0250ad88ed9aaf8c380e65da
Instruction Fuzzy Hash: 71E0E5312003A456D7212667DC00F9A374AAB427B0F09012BFE24D67C0DB50DF01B2F2

Function 00CA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4F6D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: acacbfe443510a57cbf31fd96ffd18d6e6ec3053398acfd5055ab84e88300eee
Instruction ID: 360abd2ee178dcfba583855524182e7571c18ba082a4cb405ec391100ff12bb8
Opcode Fuzzy Hash: acacbfe443510a57cbf31fd96ffd18d6e6ec3053398acfd5055ab84e88300eee
Instruction Fuzzy Hash: 5BF03971105752CFDB389FA5D890822BBE4AF5632D320997EE1EA82621C7B19844EF51

Function 00CA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CA2DC4

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 3c8fdf593d830b4a48727aa77bc32dadc1bab160bf9812b944d391fde7befad5
Instruction ID: c75159b90437ab19d606c36d68b0c49bdc82ba737e5877443bfdfb1ed12bcc8a
Opcode Fuzzy Hash: 3c8fdf593d830b4a48727aa77bc32dadc1bab160bf9812b944d391fde7befad5
Instruction Fuzzy Hash: 72E0C276A002245BCB21E7989C06FEA77EDDFC8790F0800B1FD09E7248DA70AD8096A0

Function 00D12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D126B5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 458b47a68a8a100dff8ca85638edac0fb0acb96541dd2f7e7a051260c87dbaac
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 90E048B06097005FDF395A28B8517F677D49F49300F04045EF59B82252E5736855865D

Function 00CA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CA3908

Part of subcall function 00CAD731: GetInputState.USER32 ref: 00CAD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00CA2B6B

Part of subcall function 00CA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CA314E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4041dd46524563b8be07acb20faf0e332e1d8b68d0b35b6d04f93821b286b2b0
Instruction ID: 0d1c2a78e5813a545ea6f2909ea8c270e99392706b9bafdb51f6b872948d8e02
Opcode Fuzzy Hash: 4041dd46524563b8be07acb20faf0e332e1d8b68d0b35b6d04f93821b286b2b0
Instruction Fuzzy Hash: 53E0262230028607C608BB38A8264BDA349CBD335DF40153EF047832A2DE2446455321

Function 00F508E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00F508EB

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 9d30e7a52f0a4b478abeaecf45531163e0b1c5408d06da268e890344d2ca5829
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 67E0867190520CDBD710CBB88814AA977A4D704322F104654EE15C3281D930CD44B698

Function 00CE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CE0704,?,?,00000000,?,00CE0704,00000000,0000000C), ref: 00CE03B7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ac93ffc9345b96b0bd5d01fe81fefae57dd35afa5012a91119cc6f8af98ad5ad
Instruction ID: c6e7d4edb44bd459e0938956ed05e221a4429cd43705fe1294d43f5370eec8d3
Opcode Fuzzy Hash: ac93ffc9345b96b0bd5d01fe81fefae57dd35afa5012a91119cc6f8af98ad5ad
Instruction Fuzzy Hash: B2D06C3205020DBBDF028F84DD06EDA3BAAFB48714F014000BE18A6120C732E821AB90

Function 00F508B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00F508BB

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: af135aab674a08e52154f987af3a7d6f828b54f2c2fcacda01898d3152cd2c0c
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 13D05E3190620CABCB10CAA49804A9A73A8AB04322F104764EE1597280DA319948A790

Function 00CA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00CA1CBC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a5dca6a1dd0f4cc68294065b10d30d443789fb6c7b67a1893e0d6898eda5ef97
Instruction ID: cf7a8a48fe4a40550f5c48fb5f297a564ea801b99605ea061d6ad5a1f9361af9
Opcode Fuzzy Hash: a5dca6a1dd0f4cc68294065b10d30d443789fb6c7b67a1893e0d6898eda5ef97
Instruction Fuzzy Hash: 21C0923B290304EFF2148B94BC4BF207764A348B00F048001F64DE9BE3E3A228A0EB70

Function 00D1744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00CA5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00CA949C,?,00008000), ref: 00CA5773

GetLastError.KERNEL32(00000002,00000000), ref: 00D176DE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 5e3be00feedf47b65d1e72b39977b3fae0bcd5659e385ce9a9bd6e1b14439b1f
Instruction ID: e522b538608aefc33a0550f9bf6473fced56fdba0469cfa2ca7e0a5f501b8fb6
Opcode Fuzzy Hash: 5e3be00feedf47b65d1e72b39977b3fae0bcd5659e385ce9a9bd6e1b14439b1f
Instruction Fuzzy Hash: F68170306087029FCB14EF28D491BA9B7F1BF89354F08451DF8865B2A2DB30ED85DB62

Function 00CBFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00CBFD1F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b16129c3e49a96ec156e97a539598fe722d4636b0b6446854af56ef23dec1540
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7131DB75A00109DBD718CF69D8809A9FBA5FF49300F2486A9E815CB756D731EEC2CBD0

Function 00F5229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F522B1

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 5f777c8e874bdc59fdd1d3645e0cda82911e4837e4a3b70b43b1cf8a82cfd9d0
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 88E0BF7594010EEFDB00EFA8D5496DE7BB4EF04312F1006A1FD05E7680DB309E549A62

Function 00F522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F522B1

Memory Dump Source

Source File: 00000000.00000002.1460557566.0000000000F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_8f5WsFcnTc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 27750e97668d80b6ad7619c521b2bb337fc586df55405d1d3c2b9e92120aa84a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 28E0E67594010EEFDB00EFB8D54969E7FB4EF04302F100261FD05E2280D6309D509A72

Non-executed Functions

Function 00D39576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D3961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D3965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D3969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D396C9
SendMessageW.USER32 ref: 00D396F2
GetKeyState.USER32(00000011), ref: 00D3978B
GetKeyState.USER32(00000009), ref: 00D39798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D397AE
GetKeyState.USER32(00000010), ref: 00D397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D397E9
SendMessageW.USER32 ref: 00D39810
SendMessageW.USER32(?,00001030,?,00D37E95), ref: 00D39918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D3992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D39941
SetCapture.USER32(?), ref: 00D3994A
ClientToScreen.USER32(?,?), ref: 00D399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D399D6
ReleaseCapture.USER32 ref: 00D399E1
GetCursorPos.USER32(?), ref: 00D39A19
ScreenToClient.USER32(?,?), ref: 00D39A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D39A80
SendMessageW.USER32 ref: 00D39AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D39AEB
SendMessageW.USER32 ref: 00D39B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D39B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D39B4A
GetCursorPos.USER32(?), ref: 00D39B68
ScreenToClient.USER32(?,?), ref: 00D39B75
GetParent.USER32(?), ref: 00D39B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D39BFA
SendMessageW.USER32 ref: 00D39C2B
ClientToScreen.USER32(?,?), ref: 00D39C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D39CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D39CDE
SendMessageW.USER32 ref: 00D39D01
ClientToScreen.USER32(?,?), ref: 00D39D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D39D82

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

GetWindowLongW.USER32(?,000000F0), ref: 00D39E05

Strings

@U=u, xrefs: 00D3965B, 00D396C9, 00D396F2, 00D397AE, 00D397E9, 00D39810, 00D39918, 00D39A80, 00D39AAE, 00D39AEB, 00D39B1A, 00D39BFA, 00D39C2B, 00D39CDE, 00D39D01
@GUI_DRAGID, xrefs: 00D3997D
F, xrefs: 00D39D07

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3429851547-1007936534
Opcode ID: 62846337ff8aad47e5a34877a1725dbb4e0b026ceb1f203a6aa09cb476512d6e
Instruction ID: 2920cacada72f44b01cfd09caa680de86f2511781aaa0d014ef65aedf3a7eec7
Opcode Fuzzy Hash: 62846337ff8aad47e5a34877a1725dbb4e0b026ceb1f203a6aa09cb476512d6e
Instruction Fuzzy Hash: DF42AA35205301AFDB24CF28CCA5AAABBE5FF49310F180619F699D72A1D7B1E851CF61

Function 00D34873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D34908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D34927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D3494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D3495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D3497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D34A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D34A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D34A7E
IsMenu.USER32(?), ref: 00D34A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D34AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D34B20
GetWindowLongW.USER32(?,000000F0), ref: 00D34B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D34BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D34C82
wsprintfW.USER32 ref: 00D34CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D34CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D34CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D34D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D34D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D34D5A

Strings

@U=u, xrefs: 00D348F3, 00D34908, 00D3495C, 00D34A0F, 00D34A56, 00D34A7E, 00D34BE3, 00D34C82, 00D34CC9, 00D34D13, 00D34D33, 00D34E15, 00D34E4E, 00D34EA5, 00D34F10
%d/%02d/%02d, xrefs: 00D34CA8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: c2bd7d2ce344cdb884c7b793e1b5cd290a426a4e6da21a3a21ef96aaad5a3b43
Instruction ID: b40f60e5fa4656143811ff181a6b1095ccd0ec246c02ee1fb6b29550ef4c3ad9
Opcode Fuzzy Hash: c2bd7d2ce344cdb884c7b793e1b5cd290a426a4e6da21a3a21ef96aaad5a3b43
Instruction Fuzzy Hash: CE12D071600354ABEB248F28DC49FAE7BF8EF45710F184129F515EA2E1DB78E941CB60

Function 00CBF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00CBF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CFF474
IsIconic.USER32(00000000), ref: 00CFF47D
ShowWindow.USER32(00000000,00000009), ref: 00CFF48A
SetForegroundWindow.USER32(00000000), ref: 00CFF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CFF4AA
GetCurrentThreadId.KERNEL32 ref: 00CFF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CFF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CFF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CFF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CFF4DE
SetForegroundWindow.USER32(00000000), ref: 00CFF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF4F6
keybd_event.USER32(00000012,00000000), ref: 00CFF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF50B
keybd_event.USER32(00000012,00000000), ref: 00CFF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF519
keybd_event.USER32(00000012,00000000), ref: 00CFF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CFF528
keybd_event.USER32(00000012,00000000), ref: 00CFF52D
SetForegroundWindow.USER32(00000000), ref: 00CFF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CFF557

Strings

Shell_TrayWnd, xrefs: 00CFF46F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 212bcfb8870ce12baa89b785c525e378db48320f53a9ae95dd3977714b0503eb
Instruction ID: 081399163b3d8fd074d740167a5402e8651bb6a45bbb19d4a3c5648b4e93adcf
Opcode Fuzzy Hash: 212bcfb8870ce12baa89b785c525e378db48320f53a9ae95dd3977714b0503eb
Instruction Fuzzy Hash: B4313E71A50318BBEB206BB55C4AFBF7E6CEB44B50F141069FA01F62D1C6B19901ABB1

Function 00D01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0170D
Part of subcall function 00D016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0173A
Part of subcall function 00D016C3: GetLastError.KERNEL32 ref: 00D0174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D01286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D012A8
CloseHandle.KERNEL32(?), ref: 00D012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D012D1
GetProcessWindowStation.USER32 ref: 00D012EA
SetProcessWindowStation.USER32(00000000), ref: 00D012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D01310

Part of subcall function 00D010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D011FC), ref: 00D010D4
Part of subcall function 00D010BF: CloseHandle.KERNEL32(?,?,00D011FC), ref: 00D010E9

Strings

winsta0, xrefs: 00D012CC
default, xrefs: 00D0130B
, xrefs: 00D0125A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 658532e4a46559da3670e6569ec38ca81e2db014e21ed9e6ece6eaeccb961683
Instruction ID: 08b3faed44d2c28a640f62ace9d6701c6e1a4f0c5cf7e74f569852876c20989f
Opcode Fuzzy Hash: 658532e4a46559da3670e6569ec38ca81e2db014e21ed9e6ece6eaeccb961683
Instruction Fuzzy Hash: 2C816575900249ABDF219FA4DC49BEE7BB9EF04704F184129F918F62A0C771DA58CB30

Function 00D00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D01114
Part of subcall function 00D010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01120
Part of subcall function 00D010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D0112F
Part of subcall function 00D010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01136
Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D00BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D00C00
GetLengthSid.ADVAPI32(?), ref: 00D00C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D00C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D00C6D
GetLengthSid.ADVAPI32(?), ref: 00D00C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D00C8C
HeapAlloc.KERNEL32(00000000), ref: 00D00C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D00CB4
CopySid.ADVAPI32(00000000), ref: 00D00CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D00CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D00D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D00D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00D45
HeapFree.KERNEL32(00000000), ref: 00D00D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00D55
HeapFree.KERNEL32(00000000), ref: 00D00D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00D65
HeapFree.KERNEL32(00000000), ref: 00D00D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D00D78
HeapFree.KERNEL32(00000000), ref: 00D00D7F

Part of subcall function 00D01193: GetProcessHeap.KERNEL32(00000008,00D00BB1,?,00000000,?,00D00BB1,?), ref: 00D011A1
Part of subcall function 00D01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D00BB1,?), ref: 00D011A8
Part of subcall function 00D01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D00BB1,?), ref: 00D011B7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 357ae1b1a9afac5bb23ae605c8341ae082ba9caba71e0868cc7b38781d000da4
Instruction ID: a04c49032243b9394daad2c2cc587767cc46d739c82ddfb01e1eaa454080618d
Opcode Fuzzy Hash: 357ae1b1a9afac5bb23ae605c8341ae082ba9caba71e0868cc7b38781d000da4
Instruction Fuzzy Hash: 1D711676A0020ABBDF10DFA4DC45BEEBBBDAF04310F184525E919E6291D775AA05CBB0

Function 00D1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D3CC08), ref: 00D1EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D1EB37
GetClipboardData.USER32(0000000D), ref: 00D1EB43
CloseClipboard.USER32 ref: 00D1EB4F
GlobalLock.KERNEL32(00000000), ref: 00D1EB87
CloseClipboard.USER32 ref: 00D1EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00D1EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D1EBC9
GetClipboardData.USER32(00000001), ref: 00D1EBD1
GlobalLock.KERNEL32(00000000), ref: 00D1EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00D1EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D1EC38
GetClipboardData.USER32(0000000F), ref: 00D1EC44
GlobalLock.KERNEL32(00000000), ref: 00D1EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D1EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D1EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D1ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00D1ECF3
CountClipboardFormats.USER32 ref: 00D1ED14
CloseClipboard.USER32 ref: 00D1ED59

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 000b56a6d723c015785c530dd1d4cf6f6320c049da273b3866189cb262bdcce0
Instruction ID: 96c52d07a82a68100b43a27375df346871c3805709661b0aa883ffd8debb84ee
Opcode Fuzzy Hash: 000b56a6d723c015785c530dd1d4cf6f6320c049da273b3866189cb262bdcce0
Instruction Fuzzy Hash: 9261C135204302AFD300EF24E889FAA77A4EF85714F085519F856D72A2DF71D985DBB2

Function 00D1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D169BE
FindClose.KERNEL32(00000000), ref: 00D16A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D16A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D16A75

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D16AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D16ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D16B6A
%02d, xrefs: 00D16C00, 00D16C0A, 00D16C5A, 00D16CAA, 00D16CFA, 00D16D4A
%03d, xrefs: 00D16DA2
%4d, xrefs: 00D16BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D16B32

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: adb64259059b659c742cc3d1f9dd22bed80c3f218752d731413e8ba32c14d13f
Instruction ID: 55204b5afb840e6d5df06157a92e626db567aba1698a7ba8f6861e0bc1eed585
Opcode Fuzzy Hash: adb64259059b659c742cc3d1f9dd22bed80c3f218752d731413e8ba32c14d13f
Instruction Fuzzy Hash: C6D14F72508301AFC710EBA4DC86EABB7ECEF89708F04491DF585D6291EB74DA44DB62

Function 00D19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D19663
GetFileAttributesW.KERNEL32(?), ref: 00D196A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D196BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D196D3
FindClose.KERNEL32(00000000), ref: 00D196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D1974A
SetCurrentDirectoryW.KERNEL32(00D66B7C), ref: 00D19768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D19772
FindClose.KERNEL32(00000000), ref: 00D1977F
FindClose.KERNEL32(00000000), ref: 00D1978F

Strings

*.*, xrefs: 00D196F5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f2134b68af531f0e0c20300495a79e312751aa696fbf965b1b59ce5619feb879
Instruction ID: f4ca51ebe6ad5e0191b0631743f7a0607aba82da63e58f92c14d1f9f00e49080
Opcode Fuzzy Hash: f2134b68af531f0e0c20300495a79e312751aa696fbf965b1b59ce5619feb879
Instruction Fuzzy Hash: A831A036650219BFDB14AFB4EC69ADEB7ACAF09321F144165F815E21E0DB30DA84CB34

Function 00D1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D19819
FindClose.KERNEL32(00000000), ref: 00D19824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D19840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D19890
SetCurrentDirectoryW.KERNEL32(00D66B7C), ref: 00D198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D198B8
FindClose.KERNEL32(00000000), ref: 00D198C5
FindClose.KERNEL32(00000000), ref: 00D198D5

Part of subcall function 00D0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D0DB00

Strings

*.*, xrefs: 00D1983B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c2bced4d5ab484b80a8f97ae996867f45b612a68c5d68022fc20899939aa6dce
Instruction ID: 8502e3deeafe49d749ad17cdb6ffae921503a83e2ec7f43cd7421508642a7212
Opcode Fuzzy Hash: c2bced4d5ab484b80a8f97ae996867f45b612a68c5d68022fc20899939aa6dce
Instruction Fuzzy Hash: 333183325406197EDB14AFB4FC68ADEB7ACAF06320F144166E854E2190DF31D9C5CB74

Function 00D18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D18257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D18267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D18273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D18310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D1838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D18395

Strings

*.*, xrefs: 00D1839B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c1ba882cdce423c6a6b3c5fe387b79f1d94c1745b68be5336783d58ac74a4520
Instruction ID: c9aba1711a3798c3bbec89af6614ab982691ac94c76cb64be031aa57cb7c9910
Opcode Fuzzy Hash: c1ba882cdce423c6a6b3c5fe387b79f1d94c1745b68be5336783d58ac74a4520
Instruction Fuzzy Hash: F2617CB2504305AFC710EF64D88099EB3E8FF89314F08891EF999D7251DB31E945DBA2

Function 00D0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

Part of subcall function 00D0E199: GetFileAttributesW.KERNEL32(?,00D0CF95), ref: 00D0E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D0D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D0D1DD
MoveFileW.KERNEL32(?,?), ref: 00D0D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D0D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D0D237

Part of subcall function 00D0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D0D21C,?,?), ref: 00D0D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D0D253
FindClose.KERNEL32(00000000), ref: 00D0D264

Strings

\*.*, xrefs: 00D0D0CD, 00D0D0D6, 00D0D0EB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a1aec334c2bcd553ad6c52c74d2285ad5cad90f5fa251e6c88f2db3dcfb95c26
Instruction ID: c316d0d8c1ff471e972ae7a3ec0715f9bd4063c8938378aa48ab369be7ada884
Opcode Fuzzy Hash: a1aec334c2bcd553ad6c52c74d2285ad5cad90f5fa251e6c88f2db3dcfb95c26
Instruction Fuzzy Hash: 72616F31C0125E9BCF05EBE0D952AEDB776AF55304F244166E406771A1EB309F09DB71

Function 00D1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D1ED91
EmptyClipboard.USER32 ref: 00D1ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D1EDAC
CloseClipboard.USER32 ref: 00D1EEA3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 18c5286a10db868cb7934cdca5f6df4511c9734cb43afb93e3ec33a8d7873d9f
Instruction ID: fb6a20a41dc51cca80aeda52755d9cc6675868b88c952a373bd88bfc07e5eb49
Opcode Fuzzy Hash: 18c5286a10db868cb7934cdca5f6df4511c9734cb43afb93e3ec33a8d7873d9f
Instruction Fuzzy Hash: 17419D35204611AFD310DF25E889B5ABBE5EF44318F18C099E8199B762CB35EC81CBA0

Function 00D0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0170D
Part of subcall function 00D016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0173A
Part of subcall function 00D016C3: GetLastError.KERNEL32 ref: 00D0174A

ExitWindowsEx.USER32(?,00000000), ref: 00D0E932

Strings

SeShutdownPrivilege, xrefs: 00D0E902
@, xrefs: 00D0E925
, xrefs: 00D0E95C
, xrefs: 00D0E920

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d9d93c7851835c1059a4fc2414733463c569c54c706f1edf9e629479b753a238
Instruction ID: 52952626cd66fb9239cf90c31fb758c3d617cd1e2c87f6ba5c40ab8d4203a637
Opcode Fuzzy Hash: d9d93c7851835c1059a4fc2414733463c569c54c706f1edf9e629479b753a238
Instruction Fuzzy Hash: D701D673620311ABEB6467B4AC86BBB735CA714750F194D26FC4AF21D2D5A19C408AB4

Function 00D21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D21276
WSAGetLastError.WSOCK32 ref: 00D21283
bind.WSOCK32(00000000,?,00000010), ref: 00D212BA
WSAGetLastError.WSOCK32 ref: 00D212C5
closesocket.WSOCK32(00000000), ref: 00D212F4
listen.WSOCK32(00000000,00000005), ref: 00D21303
WSAGetLastError.WSOCK32 ref: 00D2130D
closesocket.WSOCK32(00000000), ref: 00D2133C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 482f8eef6b70cf689ad03b39c181d4659e734cb1764ecb743e6d962587c366a1
Instruction ID: 217ca191ddd68a856dab84c078e4690c6f6be5f61a2587b44f6b66ebd1cdb572
Opcode Fuzzy Hash: 482f8eef6b70cf689ad03b39c181d4659e734cb1764ecb743e6d962587c366a1
Instruction Fuzzy Hash: E9416F35A00211DFD710DF64D485B2ABBE6AF66318F18C198E8569F392C771ED81CBB1

Function 00CDB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CDB9D4
_free.LIBCMT ref: 00CDB9F8
_free.LIBCMT ref: 00CDBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D43700), ref: 00CDBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CDBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D71270,000000FF,?,0000003F,00000000,?), ref: 00CDBC36
_free.LIBCMT ref: 00CDBD4B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0e02aa7955f514d2a5fa8d2302d3f40d4b37129f5f372b8af3c890d0fd1c0791
Instruction ID: d0b40e3e47b42f884505ebc0c2a86031a45b91522b23a518e31d1226751a7121
Opcode Fuzzy Hash: 0e02aa7955f514d2a5fa8d2302d3f40d4b37129f5f372b8af3c890d0fd1c0791
Instruction Fuzzy Hash: A8C12675904245EFCB209F69CC51BAABBB8EF41310F16419FE6A8D7352EB309E41E760

Function 00D0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

Part of subcall function 00D0E199: GetFileAttributesW.KERNEL32(?,00D0CF95), ref: 00D0E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D0D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D0D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D0D481
FindClose.KERNEL32(00000000), ref: 00D0D498
FindClose.KERNEL32(00000000), ref: 00D0D4A1

Strings

\*.*, xrefs: 00D0D3F2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 3c7b5b6f4a0ab0f1c25db6e4bbbda729a0a40184199cc27fa27890c227a2fa15
Instruction ID: f27ebc318fa1b25c69cc3f7f0ad458bd507f3ed82c8252e4b3bc21330a2ad68d
Opcode Fuzzy Hash: 3c7b5b6f4a0ab0f1c25db6e4bbbda729a0a40184199cc27fa27890c227a2fa15
Instruction Fuzzy Hash: 723180310183469FC300EFA4D8969AFB7A8AE92304F444A1EF4D5931E1EB34EA09D773

Function 00CDE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CDE645

Strings

1#QNAN, xrefs: 00CDF84B
1#INF, xrefs: 00CDF852
1#SNAN, xrefs: 00CDF844
1#IND, xrefs: 00CDF83D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 60e0478b12312fce15f87e03ce352cff947b999bc4b982a3ca2f900a1ae2ffb4
Instruction ID: eec0c1c873890e31947bc873ed93d50e58d70c8f9b03e305954be7d1cec74961
Opcode Fuzzy Hash: 60e0478b12312fce15f87e03ce352cff947b999bc4b982a3ca2f900a1ae2ffb4
Instruction Fuzzy Hash: FFC23871E086288BDB25DE28DD407EAB7B5FB49304F1541EBD95EE7240E774AE828F40

Function 00D1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D164DC
CoInitialize.OLE32(00000000), ref: 00D16639
CoCreateInstance.OLE32(00D3FCF8,00000000,00000001,00D3FB68,?), ref: 00D16650
CoUninitialize.OLE32 ref: 00D168D4

Strings

.lnk, xrefs: 00D164BA, 00D16524, 00D165E0

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a3475eb5bee0fac351a1d2280a5f03cf9be92f8cc0fecd0c33d696b1829034d5
Instruction ID: 4f2a8e6ae66ab3f4a4286010f9276c51905c09c72f4ef6dd44eb0e072962a765
Opcode Fuzzy Hash: a3475eb5bee0fac351a1d2280a5f03cf9be92f8cc0fecd0c33d696b1829034d5
Instruction Fuzzy Hash: E3D14A71508301AFD304EF24D881EABB7E9FF95708F04496DF5958B291DB70E949CBA2

Function 00D222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D222E8

Part of subcall function 00D1E4EC: GetWindowRect.USER32(?,?), ref: 00D1E504

GetDesktopWindow.USER32 ref: 00D22312
GetWindowRect.USER32(00000000), ref: 00D22319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D22355
GetCursorPos.USER32(?), ref: 00D22381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D223DF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4724706a23424810425ff1a490b94de4488a698bf3f4088ddda3fef10be7d720
Instruction ID: d88d1aa177515c1283d2f3db4495b14a0d6f273c194dab76d2293c94a17de0cf
Opcode Fuzzy Hash: 4724706a23424810425ff1a490b94de4488a698bf3f4088ddda3fef10be7d720
Instruction Fuzzy Hash: 7431C272504325AFD720DF54D845BABB7A9FF94314F040A1DF985E7291DB34E908CBA2

Function 00D19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D19B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D19C8B

Part of subcall function 00D13874: GetInputState.USER32 ref: 00D138CB
Part of subcall function 00D13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D13966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D19BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D19C75

Strings

*.*, xrefs: 00D19B5D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7c0ef8f15e3c3492ca38c9f338f6cc06a21b1667b4f1885b6f3a774705a9c215
Instruction ID: c4a9dce84c195563b5bab1157ee3757ad8cda2edc77e62c75eac5b3817d1728a
Opcode Fuzzy Hash: 7c0ef8f15e3c3492ca38c9f338f6cc06a21b1667b4f1885b6f3a774705a9c215
Instruction Fuzzy Hash: 9C41607194420AAFCF14DF64D9A9AEEBBB9EF05310F244155F845A3291EB309E84DFB0

Function 00CB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CB9A4E
GetSysColor.USER32(0000000F), ref: 00CB9B23
SetBkColor.GDI32(?,00000000), ref: 00CB9B36

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 04dec0f553742ffebe11208bda07d778d1906a3cf1422adb42410b8d3d243c0e
Instruction ID: e64ac892bf540f66ce9744ef51485f9576af5ae8d55b47489433d00ed39aeb98
Opcode Fuzzy Hash: 04dec0f553742ffebe11208bda07d778d1906a3cf1422adb42410b8d3d243c0e
Instruction Fuzzy Hash: C6A13B70118558BEE769AB3D8C99EFB369DDF42340F15030AF322D66A1CA359E41E273

Function 00D21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D2307A
Part of subcall function 00D2304E: _wcslen.LIBCMT ref: 00D2309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D2185D
WSAGetLastError.WSOCK32 ref: 00D21884
bind.WSOCK32(00000000,?,00000010), ref: 00D218DB
WSAGetLastError.WSOCK32 ref: 00D218E6
closesocket.WSOCK32(00000000), ref: 00D21915

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 5a438f272463ec5f79b729fcbd56d62dddee06631f92e306c82affc125de2da0
Instruction ID: 10bd822651e5adcd9a04c62e3abb6e7bdb7b3677f39e264e22bb799b85ab98dd
Opcode Fuzzy Hash: 5a438f272463ec5f79b729fcbd56d62dddee06631f92e306c82affc125de2da0
Instruction Fuzzy Hash: 7851D275A00210AFDB10AF24D8C6F6AB7E5AB55718F188098F919AF3C3C771ED419BA1

Function 00D31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D31CC0
IsWindowEnabled.USER32 ref: 00D31CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D31CDB
IsIconic.USER32 ref: 00D31CE9
IsZoomed.USER32 ref: 00D31CF7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f1ff54f7512fa6762e8086c32d6bddb323466bc30f70425239e12e51b599a4ef
Instruction ID: 9de2a1cbe65ab7e896ed9a5f046da4cd1cd0083af9f8efddbfd85dc7a0abe08f
Opcode Fuzzy Hash: f1ff54f7512fa6762e8086c32d6bddb323466bc30f70425239e12e51b599a4ef
Instruction Fuzzy Hash: B421A1357402125FD7208F2AD894B6ABBA5EF85315F1DA068E84ADB351CB71EC42CBB0

Function 00CA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CA843C
ERCP, xrefs: 00CA813C
VUUU, xrefs: 00CA83FA
VUUU, xrefs: 00CA83E8
VUUU, xrefs: 00CE5DF0

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 801d12fae94481a04aa0c2f715024017ce38e816143a328c33dc27311f6c7ef1
Instruction ID: e9ec3fbb37d1f6e4e19c7e0400e69d194b0fe3d50f8f2c3a5a4c5c6be0692ff7
Opcode Fuzzy Hash: 801d12fae94481a04aa0c2f715024017ce38e816143a328c33dc27311f6c7ef1
Instruction Fuzzy Hash: 69A2A270E0065ACBDF24CF59C8407AEB7B1FF55318F2481AAE825A7285DB709E85CF90

Function 00D2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D2A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D2A6BA

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D2A79C
CloseHandle.KERNEL32(00000000), ref: 00D2A7AB

Part of subcall function 00CBCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CE3303,?), ref: 00CBCE8A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 629ea36002070c955586bed68a5432c000f45bed02ed23bce8958272c2bca879
Instruction ID: bc074a1bb16904c66819e642838657b8e9713a7bc1a093069bf2008b80c2ef08
Opcode Fuzzy Hash: 629ea36002070c955586bed68a5432c000f45bed02ed23bce8958272c2bca879
Instruction Fuzzy Hash: 41516F715083119FD710EF24D886A6BBBE8FF89758F04891DF585D72A1EB30D904DBA2

Function 00D0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D0AAAC
SetKeyboardState.USER32(00000080), ref: 00D0AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D0AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D0AB88

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 549d84ad0f8065374132807667064c78cd19e9c81cb111ca6786f64c975b5496
Instruction ID: ddc824b20a194a6bb44637fd92c64a0ca64b0a0b88f4a2804cc37eda59504acf
Opcode Fuzzy Hash: 549d84ad0f8065374132807667064c78cd19e9c81cb111ca6786f64c975b5496
Instruction Fuzzy Hash: 6531F431A40358AEFB35CB6DCC05BFA7BA6EB45320F08421AF599961E1D375C981C772

Function 00D1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D1CE89
GetLastError.KERNEL32(?,00000000), ref: 00D1CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D1CEFE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 6207da3bbe58b820b1f1056fc774cef1ed33f415a1418147e97fb37c8e2508cc
Instruction ID: 40002fd6ae9334ce0fddb6290979a29845f25a5292babcdb814e13ae5d66550a
Opcode Fuzzy Hash: 6207da3bbe58b820b1f1056fc774cef1ed33f415a1418147e97fb37c8e2508cc
Instruction Fuzzy Hash: 7621BDB1590305ABDB20CFA5E948BA7B7F8EF00314F14541EE546E2251EB74EE858BB4

Function 00D08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D082AA

Strings

(, xrefs: 00D082F0
|, xrefs: 00D082DA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b4124e74080c48251451627222c6e9baac0178271c3572fb8e5e530f8e681bcb
Instruction ID: bb3ce187f672bc26d224710d74d2b37d6f0dd51dbc7dc689fd17c23897bc4a79
Opcode Fuzzy Hash: b4124e74080c48251451627222c6e9baac0178271c3572fb8e5e530f8e681bcb
Instruction Fuzzy Hash: AD323474A007059FCB28CF69C481AAAB7F0FF48710B15C56EE49ADB3A1EB70E941DB54

Function 00D15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D15CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D15D17
FindClose.KERNEL32(?), ref: 00D15D5F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c7e83e2b5432426115841fe556622fe4a199918be63b71634bfa86a65fef3d5e
Instruction ID: fb8b0815948c0b7d8183023a8d9290b33d2c7e25bf25701768648bd6e9d95958
Opcode Fuzzy Hash: c7e83e2b5432426115841fe556622fe4a199918be63b71634bfa86a65fef3d5e
Instruction Fuzzy Hash: 64519C74604602EFC714CF28E494E96B7E4FF4A314F14855DE99A8B3A1CB34ED84CBA1

Function 00CD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CD271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CD2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CD2731

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 417518a70b0746a1542e70f971171a126e5ee1a86e5dbc1cb1a0432b98f4099c
Instruction ID: 7d55f51ffc8c1104af997b74e2f5463ab98f000379e0a51ac9773902eff2882e
Opcode Fuzzy Hash: 417518a70b0746a1542e70f971171a126e5ee1a86e5dbc1cb1a0432b98f4099c
Instruction Fuzzy Hash: F931D57591131CABCB21DF64DC88B9DBBB8AF18310F5041EAE91CA7260E7349F819F54

Function 00D151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D15238
SetErrorMode.KERNEL32(00000000), ref: 00D152A1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9838d3aa93960e48ce120e0fde223a2917ce53cd874bc350b5d7ca2189e4bf7e
Instruction ID: 1d7e35769ff493ae8ff5a58cc48f5047976166cbef3be474fa5529cb598f21ac
Opcode Fuzzy Hash: 9838d3aa93960e48ce120e0fde223a2917ce53cd874bc350b5d7ca2189e4bf7e
Instruction Fuzzy Hash: 6B315075A00619EFDB00DF94D884EADBBB4FF49318F088099E805AB396DB75E855CB60

Function 00D016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CC0668
Part of subcall function 00CBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CC0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0173A
GetLastError.KERNEL32 ref: 00D0174A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e5f8a5e235fd6ab005609951fcf5aaf85442e44e61bf402756a6ea854f252168
Instruction ID: 4625b65f4e91ac7d027b0508a38aba9e0beb1f718009cf950e72ccba40341fb5
Opcode Fuzzy Hash: e5f8a5e235fd6ab005609951fcf5aaf85442e44e61bf402756a6ea854f252168
Instruction Fuzzy Hash: 2A1191B2514304AFD7189F64DC86EAAB7B9EB44714B24852EE05697281EB70FC418B30

Function 00D0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D0D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D0D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D0D650

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e10210b3db1ca8a6737d3b28d989b6923322997ee0cc57414e8113f1f55a397e
Instruction ID: e72bc8dbf1913c52c0c18d7227eae3639c91aa064d061d2112fa4efa96be8ceb
Opcode Fuzzy Hash: e10210b3db1ca8a6737d3b28d989b6923322997ee0cc57414e8113f1f55a397e
Instruction Fuzzy Hash: 16113C75E05328BBDB108F959C45FAFBBBCEB45B50F108126F908E7290D6704A058BA1

Function 00D01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D0168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D016A1
FreeSid.ADVAPI32(?), ref: 00D016B1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4b84d0c24b8a1b1c45698c65706b2212f5e6dd950dda721665744d22af329e3d
Instruction ID: 278e685827f7c02cec01daf0807bd76eba65b63bedce15adfd1512554a308f17
Opcode Fuzzy Hash: 4b84d0c24b8a1b1c45698c65706b2212f5e6dd950dda721665744d22af329e3d
Instruction Fuzzy Hash: 33F0F47595030DFBDB00DFE49D89AAEBBBCEB08704F504565E501E2281E774AA448B60

Function 00CC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CD28E9,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002,00000000,?,00CD28E9), ref: 00CC4D09
TerminateProcess.KERNEL32(00000000,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002,00000000,?,00CD28E9), ref: 00CC4D10
ExitProcess.KERNEL32 ref: 00CC4D22

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6864ccffeaa6ed9c9adb2a9afa475a1a159908ea8b3686c85cc156b5c86a239b
Instruction ID: 9b75b0f127e5c9ac33c5fd6944e8002fa164041f2ddb4902c8182de7b42955f2
Opcode Fuzzy Hash: 6864ccffeaa6ed9c9adb2a9afa475a1a159908ea8b3686c85cc156b5c86a239b
Instruction Fuzzy Hash: 60E0B631010248ABCF15BF64DD1AF983B69FB41791B148418FD16DA222CB35DE52DB90

Function 00CDC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00CDC36C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0f9d135613fe0191cc0a937e7dbd9dbe91a7e710870c6b3c99fb6b976c264892
Instruction ID: 2aaead7019ef4960b50b6a10ab65543ee65474d85bef7fa6169aaafe7af06200
Opcode Fuzzy Hash: 0f9d135613fe0191cc0a937e7dbd9dbe91a7e710870c6b3c99fb6b976c264892
Instruction Fuzzy Hash: B3413B7650021A6FCB249FB9CC89EFB77B8EB84314F10426AFA15D7390E6709E41CB50

Function 00CFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CFD28C

Strings

X64, xrefs: 00CFD2A8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ca163c03e6b1a6afdde39b37ae90dae53e73c2a038021973dae6ece9bae2f186
Instruction ID: 496c020ceb8e3108a5f1b1c059c319de9e005474165f6d2e5426fbe457e09441
Opcode Fuzzy Hash: ca163c03e6b1a6afdde39b37ae90dae53e73c2a038021973dae6ece9bae2f186
Instruction Fuzzy Hash: DAD0C9B481111DEACB94DB90ECC8DDAB37CBB04305F100191F106E2100D73095488F20

Function 00CCCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6e9ed51d140cab7be87228cfdc90ebae4805c6d8836eb40b60eec0c4952f73a6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 5E020C71E002199BDF14CFA9C980BADBBF1EF48314F25816DD929E7384D731AA418B94

Function 00D168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D16918
FindClose.KERNEL32(00000000), ref: 00D16961

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d643b829e2e7e9b13743e1b96033250fc7e8e215eb0a69fc49f0d351fd5fbb29
Instruction ID: 276346e4947f48efbd522e73e0d40bc9ce39a9d15decf398045d3ecb996f2cac
Opcode Fuzzy Hash: d643b829e2e7e9b13743e1b96033250fc7e8e215eb0a69fc49f0d351fd5fbb29
Instruction Fuzzy Hash: A51193356142119FC710DF69D884A16BBE5FF85328F14C699E4698F3A2CB30EC45CBA1

Function 00D137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D24891,?,?,00000035,?), ref: 00D137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D24891,?,?,00000035,?), ref: 00D137F4

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cd7f08cdad9763f8f5e805c021e1c41a3734702582a3730624a952169058e3cf
Instruction ID: c4df6a956fae669f120da6f58b860222edc0734273d54b953b7fa4db19c9a239
Opcode Fuzzy Hash: cd7f08cdad9763f8f5e805c021e1c41a3734702582a3730624a952169058e3cf
Instruction Fuzzy Hash: 03F0A0B16043292AE62057A69C49FEB3AAEEF85765F000175B509E2291D9609944C7B0

Function 00D0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D0B25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00D0B270

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 86c53bd30b42a3cf5ee424ead5894331a23d3363d46dfab0a82505764c387ce0
Instruction ID: 394f5f6460132a065d275edb8bb07b32314eb8c4a13928f7b0a1910c3be3f93a
Opcode Fuzzy Hash: 86c53bd30b42a3cf5ee424ead5894331a23d3363d46dfab0a82505764c387ce0
Instruction Fuzzy Hash: 0FF01D7181424DABDB059FA0C805BAE7BB4FF04315F04900AF955A5191C379C6119FA4

Function 00D010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D011FC), ref: 00D010D4
CloseHandle.KERNEL32(?,?,00D011FC), ref: 00D010E9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e0dda5a34b20fae7d631dab4b38600e8c227015d2b96d27176ea0cb8994d0b33
Instruction ID: e59b962d92b005a8f49f0e088baab3aaa43cd2a39a2e92401337f0f85f869ea3
Opcode Fuzzy Hash: e0dda5a34b20fae7d631dab4b38600e8c227015d2b96d27176ea0cb8994d0b33
Instruction Fuzzy Hash: AAE0BF72014750AEE7252B61FC05EB777E9EB04310F14882DF5A5905B1DB62ACA1EB60

Function 00CACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00CF0C40

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 1eb0e8e2e2ea0f02afcf6421b06db19873734b65189d4dad7898e021d48bee8a
Instruction ID: de4802c200d36af0d5412ad7c9a16716ade9683f0486638fb5ca334604894ae7
Opcode Fuzzy Hash: 1eb0e8e2e2ea0f02afcf6421b06db19873734b65189d4dad7898e021d48bee8a
Instruction Fuzzy Hash: 17329A7090021ADFCF14DF94C885AFDB7B5FF06308F248069E916AB292DB35AE45DB61

Function 00CD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CD6766,?,?,00000008,?,?,00CDFEFE,00000000), ref: 00CD6998

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ca4f50ad80b6a84cba71cebdaef265e5ab2dbe69703a646387e01dbf0cf5573b
Instruction ID: 0b3ea1d68bb04f58d21aac9ff32d6f46105a68920ed3df894bd4d9ad1e6848c9
Opcode Fuzzy Hash: ca4f50ad80b6a84cba71cebdaef265e5ab2dbe69703a646387e01dbf0cf5573b
Instruction Fuzzy Hash: 13B14A316106099FD715CF28C48AB657BE0FF45364F25865AEAE9CF3A2C335EA81DB40

Function 00CBB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00CF851F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dd60f4085bc05c737cdf5be1c4af4b83f6ddb121cc1afaa05ad48bfb8ef37d07
Instruction ID: 768f22c4a820c72a9359019050a68883a55db904ad49ee95ff0555574d3ae567
Opcode Fuzzy Hash: dd60f4085bc05c737cdf5be1c4af4b83f6ddb121cc1afaa05ad48bfb8ef37d07
Instruction Fuzzy Hash: C5127E71A002299BDB64CF59C8806FEB7F5FF48310F10819AE949EB251DB709E85CFA1

Function 00D1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D1EABD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 73966990cdf8a5966e866875e690e0143eef858b9480c81730a9e14c133d4ccc
Instruction ID: c9f65d785cf0b46fa760db41b327ddbea64b17469127c0cef04dbf645b494e65
Opcode Fuzzy Hash: 73966990cdf8a5966e866875e690e0143eef858b9480c81730a9e14c133d4ccc
Instruction Fuzzy Hash: 70E04F32214205AFC710EF69E845E9AF7E9AF99764F048416FC4AD7361DB70EC808BA1

Function 00CC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00CC03EE), ref: 00CC09DA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 18b4898833545ab2757a6b4b345049fe7e4e2c30d28c411ae063f180724f9699
Instruction ID: 1b20b1c7169589d335e568f73c26a39a180334010f0106ab48c23874d97b96a8
Opcode Fuzzy Hash: 18b4898833545ab2757a6b4b345049fe7e4e2c30d28c411ae063f180724f9699
Instruction Fuzzy Hash:

Function 00CC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00CC798B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a57b903c28d125d9c4087abb48c6d0014ba974e88435184ab29152bacb84f7f1
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 5051756160C6055BDF388629C95AFBF2399DB12340F18070DEAA2EB6C2C625DF45EF52

Function 00CD6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9826ab65b07dd3bb65fc7d20d62bff264078b217e8482768c522ac57c030f916
Instruction ID: e86eb8c79b34a1ad8f2d0cf5ea0842e2ab52c91015115354eb10a13cb40023df
Opcode Fuzzy Hash: 9826ab65b07dd3bb65fc7d20d62bff264078b217e8482768c522ac57c030f916
Instruction Fuzzy Hash: 0C321326D29F014EDB239A34D862335A249AFB73C5F55C737F82AB5AA5FB39C5834100

Function 00CBCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973e589a0e05a889cde96530e2ab012e559f46c1ad1709d5944665a16a99867f
Instruction ID: a55f9771de67f94c4409d2f8025943f45b63dd3baffb2f0a6b5ee7a51443124f
Opcode Fuzzy Hash: 973e589a0e05a889cde96530e2ab012e559f46c1ad1709d5944665a16a99867f
Instruction Fuzzy Hash: D6321631B0411D8BDF68CF2DC6D46BD7BA1EB45300F28856AD66ACB295D230DE81EB52

Function 00CA7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecbb4e7e8bcac88271936957c26dc89729ae868e6ae66c65faed6c5b513129b
Instruction ID: 341083f5d1495b33822acb87cf8e91a703195a7caa3c3df661c3752870b03fde
Opcode Fuzzy Hash: fecbb4e7e8bcac88271936957c26dc89729ae868e6ae66c65faed6c5b513129b
Instruction Fuzzy Hash: 9E22B1B0A0064ADFDF14CF65D981AEEB3F5FF45308F204629E816A7291EB359E11DB60

Function 00CA91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8b9b8ce2a1d8747447e4471ebca304814228cf6f4ca23e62858cc3b9b2cea2
Instruction ID: 95b22b3cba219d0105bfaa0ef54bad0790305f4b5dfc8c01a0c95db44e663e4d
Opcode Fuzzy Hash: 8c8b9b8ce2a1d8747447e4471ebca304814228cf6f4ca23e62858cc3b9b2cea2
Instruction Fuzzy Hash: DD02B6B0E00246EBDB04DF65D881AAEB7B5FF44344F208169E816DB391EB31EE11DB95

Function 00CC1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: aad0dfc7937d5e211b0a38e10825c2f40727e655b1819483396eac13136814b0
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 959157725080A34AD72A463BC574A7DFFE15A533A131D079DECF3CA1C6EE24CA65D620

Function 00CC19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4946d0021240dce2e319e0f867d1c4e0ce7d64192ee87fdab6b525e51916d51b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 329125722090A34EDB2D467BC57493DFFE15A933A131D079DD8F2CA1C2FD24CA65AA20

Function 00CC7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b46efd753f4801304fdfdc76f62ec9e9fc8e47ed918d2463160761e52360511
Instruction ID: b64e7d45d99f10e22fbd83722f91230f146046bdc1a12ae3ac4758c13561cb40
Opcode Fuzzy Hash: 8b46efd753f4801304fdfdc76f62ec9e9fc8e47ed918d2463160761e52360511
Instruction Fuzzy Hash: 12616671608709A7DF349A28C9B6FBF2394DF41710F101B5EE863CB281DA119F82AF55

Function 00CC7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c27747832112b3605ba2cb41664d96f2e837838c49e97df6f1d34573f1ed724
Instruction ID: ecb8fd468c33d8d1c95b1a3261217f1ba4790c17a61213c848d0cde452a9ca79
Opcode Fuzzy Hash: 1c27747832112b3605ba2cb41664d96f2e837838c49e97df6f1d34573f1ed724
Instruction Fuzzy Hash: 24617A726087096BDE385A28C856FBF2394EF42740F100B5EF853DB681DA12EF46DE55

Function 00CC1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8e9516affb2bfb7095b9baad6bb6951176559e8a5f16476765b5e847aabfa27f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: ED81447250D0A349DB69463BC574A3EFFE15A933A131E079DD8F2CA1C3EE24D654E620

Function 00D12046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95822b9821b64f073c44fef441cb6fd47243b854d6573f9c6f224b9881a6d986
Instruction ID: 1247e2233fb19b2fc8e79c203144fb85e651bbf5253c92195db5c2588ae7caa6
Opcode Fuzzy Hash: 95822b9821b64f073c44fef441cb6fd47243b854d6573f9c6f224b9881a6d986
Instruction Fuzzy Hash: 9421BB326206118BD728CF79C8236BE73E5E754310F19862EE4A7C37D1DE36A944C750

Function 00D22ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D22B30
DeleteObject.GDI32(00000000), ref: 00D22B43
DestroyWindow.USER32 ref: 00D22B52
GetDesktopWindow.USER32 ref: 00D22B6D
GetWindowRect.USER32(00000000), ref: 00D22B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D22CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D22CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22CF8
GetClientRect.USER32(00000000,?), ref: 00D22D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D22D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22DA8
GlobalFree.KERNEL32(00000000), ref: 00D22DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D3FC38,00000000), ref: 00D22DDB
GlobalFree.KERNEL32(00000000), ref: 00D22DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D22E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D22E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D22E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2303F

Strings

, xrefs: 00D22FC5
AutoIt v3, xrefs: 00D22CF2
@U=u, xrefs: 00D22E30, 00D22FBF
DISPLAY, xrefs: 00D22EA2
static, xrefs: 00D22D3A, 00D22E91

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 6f75d68ac0f185cd80effb48d617950716e17f3d45ddd9bd996df153ff255748
Instruction ID: 5b0720fcab9a134ea26be58d3ab0aa6605844f0bc85c14ded9d313a4cb41a1be
Opcode Fuzzy Hash: 6f75d68ac0f185cd80effb48d617950716e17f3d45ddd9bd996df153ff255748
Instruction Fuzzy Hash: AC027975910215AFDB14DFA8DC89EAE7BB9EF49314F048118F915EB2A1DB74AD00CB70

Function 00D370D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D3712F
GetSysColorBrush.USER32(0000000F), ref: 00D37160
GetSysColor.USER32(0000000F), ref: 00D3716C
SetBkColor.GDI32(?,000000FF), ref: 00D37186
SelectObject.GDI32(?,?), ref: 00D37195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D371C0
GetSysColor.USER32(00000010), ref: 00D371C8
CreateSolidBrush.GDI32(00000000), ref: 00D371CF
FrameRect.USER32(?,?,00000000), ref: 00D371DE
DeleteObject.GDI32(00000000), ref: 00D371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D37230
FillRect.USER32(?,?,?), ref: 00D37262
GetWindowLongW.USER32(?,000000F0), ref: 00D37284

Part of subcall function 00D373E8: GetSysColor.USER32(00000012), ref: 00D37421
Part of subcall function 00D373E8: SetTextColor.GDI32(?,?), ref: 00D37425
Part of subcall function 00D373E8: GetSysColorBrush.USER32(0000000F), ref: 00D3743B
Part of subcall function 00D373E8: GetSysColor.USER32(0000000F), ref: 00D37446
Part of subcall function 00D373E8: GetSysColor.USER32(00000011), ref: 00D37463
Part of subcall function 00D373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D37471
Part of subcall function 00D373E8: SelectObject.GDI32(?,00000000), ref: 00D37482
Part of subcall function 00D373E8: SetBkColor.GDI32(?,00000000), ref: 00D3748B
Part of subcall function 00D373E8: SelectObject.GDI32(?,?), ref: 00D37498
Part of subcall function 00D373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D374B7
Part of subcall function 00D373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D374CE
Part of subcall function 00D373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D374DB

Strings

@U=u, xrefs: 00D372CC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 6806f4198fc14b7cb8efdcbe8dd8e88d9b17ee85cf357c31f3b3142362af3a2f
Instruction ID: b43ad55517581a9135d84439b1c83af3897262c9d46472833bda5ba35dfb7736
Opcode Fuzzy Hash: 6806f4198fc14b7cb8efdcbe8dd8e88d9b17ee85cf357c31f3b3142362af3a2f
Instruction Fuzzy Hash: 1DA1C072018701BFDB109F60DC48E6B7BA9FF48320F142A19F9A2E62E1D771E944DB61

Function 00CB8D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00CB8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CF6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CF6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CF6F43

Part of subcall function 00CB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CB8BE8,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CB8FC5

SendMessageW.USER32(?,00001053), ref: 00CF6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CF6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CF6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CF6FB7

Strings

@U=u, xrefs: 00CF6AC5, 00CF6BD6, 00CF6EBF
0, xrefs: 00CF6DCF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 32ed074ca80cf54b9c22978885b0f1eba203e1bb7408694d04fcfc0ec7d2749a
Instruction ID: fcecb91ec951debcb705f3bfc6ca5d609148c2df074ceb5f43e105c092e5798c
Opcode Fuzzy Hash: 32ed074ca80cf54b9c22978885b0f1eba203e1bb7408694d04fcfc0ec7d2749a
Instruction Fuzzy Hash: 3E12BC38200245EFDB65DF28C844BB6B7E5FB44300F144169E6A9DB261CB31ED96DFA2

Function 00D22711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D2273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D2286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D22900
GetClientRect.USER32(00000000,?), ref: 00D2290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D22955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D22964
GetStockObject.GDI32(00000011), ref: 00D22974
SelectObject.GDI32(00000000,00000000), ref: 00D22978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D22988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D22991
DeleteDC.GDI32(00000000), ref: 00D2299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D22A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D22A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D22A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D22A77
GetStockObject.GDI32(00000011), ref: 00D22A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D22A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D22A97

Strings

AutoIt v3, xrefs: 00D228F8
@U=u, xrefs: 00D229CC
msctls_progress32, xrefs: 00D22A13
DISPLAY, xrefs: 00D2295A
static, xrefs: 00D2294F, 00D22A71

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 06d3f3b614c9d747a98a37a360bb18dc8ac7c2aabc9b976427a188d8b4c59fbe
Instruction ID: a6d8bfa3cc735bc00bd96396356dc6229186870ef869170886ccdc50fc73fa03
Opcode Fuzzy Hash: 06d3f3b614c9d747a98a37a360bb18dc8ac7c2aabc9b976427a188d8b4c59fbe
Instruction Fuzzy Hash: 34B15C75A10215BFEB14DF68DC8AFAE7BA9EB08714F008214F915E72A1D774ED40CBA0

Function 00D373E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D37421
SetTextColor.GDI32(?,?), ref: 00D37425
GetSysColorBrush.USER32(0000000F), ref: 00D3743B
GetSysColor.USER32(0000000F), ref: 00D37446
CreateSolidBrush.GDI32(?), ref: 00D3744B
GetSysColor.USER32(00000011), ref: 00D37463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D37471
SelectObject.GDI32(?,00000000), ref: 00D37482
SetBkColor.GDI32(?,00000000), ref: 00D3748B
SelectObject.GDI32(?,?), ref: 00D37498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D3752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D37554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D37572
DrawFocusRect.USER32(?,?), ref: 00D3757D
GetSysColor.USER32(00000011), ref: 00D3758E
SetTextColor.GDI32(?,00000000), ref: 00D37596
DrawTextW.USER32(?,00D370F5,000000FF,?,00000000), ref: 00D375A8
SelectObject.GDI32(?,?), ref: 00D375BF
DeleteObject.GDI32(?), ref: 00D375CA
SelectObject.GDI32(?,?), ref: 00D375D0
DeleteObject.GDI32(?), ref: 00D375D5
SetTextColor.GDI32(?,?), ref: 00D375DB
SetBkColor.GDI32(?,?), ref: 00D375E5

Strings

@U=u, xrefs: 00D3752A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 8d867d8d51d71929bbdc79583c0984285272035415ecae7847b01dcd2645e62e
Instruction ID: 1a2f6aa369c1b2c21c825a67a8e66cf15d43ae9a91650506bfc8e01678ff24ea
Opcode Fuzzy Hash: 8d867d8d51d71929bbdc79583c0984285272035415ecae7847b01dcd2645e62e
Instruction Fuzzy Hash: 5A617B72900218AFDF119FA4DC49EEEBFB9EB08360F145115F911FB2A1D775A940DBA0

Function 00D14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D14AED
GetDriveTypeW.KERNEL32(?,00D3CB68,?,\\.\,00D3CC08), ref: 00D14BCA
SetErrorMode.KERNEL32(00000000,00D3CB68,?,\\.\,00D3CC08), ref: 00D14D36

Strings

SAS, xrefs: 00D14CC9
Virtual, xrefs: 00D14CE5
RAID, xrefs: 00D14CBB
Removable, xrefs: 00D14C10, 00D14C15
1394, xrefs: 00D14C9F
SSA, xrefs: 00D14CA6
SSD, xrefs: 00D14C4A
iSCSI, xrefs: 00D14CC2
Unknown, xrefs: 00D14BED, 00D14C83
RAMDisk, xrefs: 00D14BF4
SATA, xrefs: 00D14CD0
PhysicalDrive, xrefs: 00D14B76
\\.\, xrefs: 00D14B3F
CDROM, xrefs: 00D14BFB
SCSI, xrefs: 00D14C8A
Fibre, xrefs: 00D14CAD
ATA, xrefs: 00D14C98
Fixed, xrefs: 00D14C09
Network, xrefs: 00D14C02
FileBackedVirtual, xrefs: 00D14CEC
MMC, xrefs: 00D14CDE
USB, xrefs: 00D14CB4
ATAPI, xrefs: 00D14C91

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 13febc4f5700c35236349e421326cc14ba4e320c719f8355e72ba02956176401
Instruction ID: cf3046f2f6decd46c98e552bb49647cd38b523841248264ad7c6775c038771d1
Opcode Fuzzy Hash: 13febc4f5700c35236349e421326cc14ba4e320c719f8355e72ba02956176401
Instruction Fuzzy Hash: B461A370605206FFCB04DF24EA82DE9B7A2EF45744B284015F846AB291DF35DD85EBB1

Function 00D30241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D302E5
_wcslen.LIBCMT ref: 00D3031F
_wcslen.LIBCMT ref: 00D30389
_wcslen.LIBCMT ref: 00D303F1
_wcslen.LIBCMT ref: 00D30475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D30504

Part of subcall function 00CBF9F2: _wcslen.LIBCMT ref: 00CBF9FD

Part of subcall function 00D0223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D02258
Part of subcall function 00D0223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D0228A

Strings

GETSELECTEDCOUNT, xrefs: 00D30470, 00D3048B
@U=u, xrefs: 00D304C5, 00D30504
GETITEMCOUNT, xrefs: 00D30316, 00D30337
ISSELECTED, xrefs: 00D304DD
GETTEXT, xrefs: 00D303EC, 00D30407
SELECTCLEAR, xrefs: 00D3052D
SELECTINVERT, xrefs: 00D3057E
FINDITEM, xrefs: 00D30627
GETSELECTED, xrefs: 00D305E1
GETSUBITEMCOUNT, xrefs: 00D30384, 00D3039F
SELECT, xrefs: 00D30548
SELECTALL, xrefs: 00D30515
VIEWCHANGE, xrefs: 00D30675
DESELECT, xrefs: 00D3059C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: 7f4ff3d3407302a63b673d97bb06f2daba9ed57d85ee35ca0534c596a082cacc
Instruction ID: c9abcf384ec1ce192a40bc30b822e6076acddc8873ea3639a14d536543170b86
Opcode Fuzzy Hash: 7f4ff3d3407302a63b673d97bb06f2daba9ed57d85ee35ca0534c596a082cacc
Instruction Fuzzy Hash: 80E1B0316183018FC714DF24C86196EBBE6BF88718F18495CF8969B3A6DB30ED45DBA1

Function 00D30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D31128
GetDesktopWindow.USER32 ref: 00D3113D
GetWindowRect.USER32(00000000), ref: 00D31144
GetWindowLongW.USER32(?,000000F0), ref: 00D31199
DestroyWindow.USER32(?), ref: 00D311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D3121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D31232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D31245
IsWindowVisible.USER32(00000000), ref: 00D312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D312D0
GetWindowRect.USER32(00000000,?), ref: 00D312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D3130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D31328
CopyRect.USER32(?,?), ref: 00D3133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D313AA

Strings

tooltips_class32, xrefs: 00D311E6
0, xrefs: 00D310D3
(, xrefs: 00D3131B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e65503f23a3f0e75c0f7bd65c2c5c3eb16eec1b63eab33c05dcb043838d4cb51
Instruction ID: 7b2831abb9199ae1f16f374446854edc382511ec9b20591822382afa301eda6a
Opcode Fuzzy Hash: e65503f23a3f0e75c0f7bd65c2c5c3eb16eec1b63eab33c05dcb043838d4cb51
Instruction Fuzzy Hash: 7DB19C75608342AFD714DF64C885BABBBE4FF85354F048918F999AB2A1C731EC44CBA1

Function 00CB8891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CB8968
GetSystemMetrics.USER32(00000007), ref: 00CB8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CB899B
GetSystemMetrics.USER32(00000008), ref: 00CB89A3
GetSystemMetrics.USER32(00000004), ref: 00CB89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CB89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CB89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CB8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CB8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00CB8A5A
GetStockObject.GDI32(00000011), ref: 00CB8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB8A81

Part of subcall function 00CB912D: GetCursorPos.USER32(?), ref: 00CB9141
Part of subcall function 00CB912D: ScreenToClient.USER32(00000000,?), ref: 00CB915E
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000001), ref: 00CB9183
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000002), ref: 00CB919D

SetTimer.USER32(00000000,00000000,00000028,00CB90FC), ref: 00CB8AA8

Strings

@U=u, xrefs: 00CB8A81
AutoIt v3 GUI, xrefs: 00CB8A20

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 68a5d971526a4ec78fd1c9379befb38ed9d2ebd65cb9a9d4d0d2db171e5b2985
Instruction ID: 27b535cba7f5a7ff6215421739c468d41b5fb08838324bf84fd92f6d65792b69
Opcode Fuzzy Hash: 68a5d971526a4ec78fd1c9379befb38ed9d2ebd65cb9a9d4d0d2db171e5b2985
Instruction Fuzzy Hash: 66B12975A0020AAFDF14DFA8DC45BEA7BB5FB48314F104229FA25E7290DB74A941CF61

Function 00D05A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D05A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D05A40
SetWindowTextW.USER32(?,?), ref: 00D05A57
GetDlgItem.USER32(?,000003EA), ref: 00D05A6C
SetWindowTextW.USER32(00000000,?), ref: 00D05A72
GetDlgItem.USER32(?,000003E9), ref: 00D05A82
SetWindowTextW.USER32(00000000,?), ref: 00D05A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D05AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D05AC3
GetWindowRect.USER32(?,?), ref: 00D05ACC
_wcslen.LIBCMT ref: 00D05B33
SetWindowTextW.USER32(?,?), ref: 00D05B6F
GetDesktopWindow.USER32 ref: 00D05B75
GetWindowRect.USER32(00000000), ref: 00D05B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D05BD3
GetClientRect.USER32(?,?), ref: 00D05BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D05C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D05C2F

Strings

@U=u, xrefs: 00D05A40

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: b136a0cdaa96a3dcac88cf3c7bcc21137aec8408f3070b7d4c790d59efc411e1
Instruction ID: d8314658f5cbf406bbb00f9829ecb2eb0fc2e9d5dc727d58b9e27e5e2abc8aa6
Opcode Fuzzy Hash: b136a0cdaa96a3dcac88cf3c7bcc21137aec8408f3070b7d4c790d59efc411e1
Instruction Fuzzy Hash: 37714A31900B09AFDB20DFA8DD45BAEBBF5EB48704F144518E986A26A4D775E940CF60

Function 00D3091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D309C6
_wcslen.LIBCMT ref: 00D30A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D30A54
_wcslen.LIBCMT ref: 00D30A8A
_wcslen.LIBCMT ref: 00D30B06
_wcslen.LIBCMT ref: 00D30B81

Part of subcall function 00CBF9F2: _wcslen.LIBCMT ref: 00CBF9FD

Part of subcall function 00D02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D02BFA

Strings

GETTOTALCOUNT, xrefs: 00D309F2, 00D30A17
@U=u, xrefs: 00D30A54
GETITEMCOUNT, xrefs: 00D30C1E
ISCHECKED, xrefs: 00D30CE1
UNCHECK, xrefs: 00D30D3E
CHECK, xrefs: 00D30A85, 00D30AA0
GETTEXT, xrefs: 00D30C97
EXPAND, xrefs: 00D30BF8
GETSELECTED, xrefs: 00D30C4E
SELECT, xrefs: 00D30D11
COLLAPSE, xrefs: 00D30B01, 00D30B1C
EXISTS, xrefs: 00D30B7C, 00D30B97

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: cde3b448369abc69f217fe6d8a58613ea98141d95cfb6c875121535e92a5629d
Instruction ID: 5c926b29db3478624e394e9806271849f93374abb0e078aef82f81053c7181f3
Opcode Fuzzy Hash: cde3b448369abc69f217fe6d8a58613ea98141d95cfb6c875121535e92a5629d
Instruction Fuzzy Hash: 66E1B1316083018FC714DF24C46096ABBE1FF99718F18895CF8969B7A2D731ED45DBA1

Function 00D00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D01114
Part of subcall function 00D010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01120
Part of subcall function 00D010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D0112F
Part of subcall function 00D010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01136
Part of subcall function 00D010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D00DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D00E29
GetLengthSid.ADVAPI32(?), ref: 00D00E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D00E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D00E96
GetLengthSid.ADVAPI32(?), ref: 00D00EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D00EB5
HeapAlloc.KERNEL32(00000000), ref: 00D00EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D00EDD
CopySid.ADVAPI32(00000000), ref: 00D00EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D00F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D00F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D00F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00F6E
HeapFree.KERNEL32(00000000), ref: 00D00F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00F7E
HeapFree.KERNEL32(00000000), ref: 00D00F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D00F8E
HeapFree.KERNEL32(00000000), ref: 00D00F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D00FA1
HeapFree.KERNEL32(00000000), ref: 00D00FA8

Part of subcall function 00D01193: GetProcessHeap.KERNEL32(00000008,00D00BB1,?,00000000,?,00D00BB1,?), ref: 00D011A1
Part of subcall function 00D01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D00BB1,?), ref: 00D011A8
Part of subcall function 00D01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D00BB1,?), ref: 00D011B7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c95182ab71e73b8fcc01b93eaba4487b7116bdb9c8cfea53c1609efb7f6a4a6b
Instruction ID: 48366546d2ab9ff08bca0049da70f62e2d6690705594b2aceae1b969c942815a
Opcode Fuzzy Hash: c95182ab71e73b8fcc01b93eaba4487b7116bdb9c8cfea53c1609efb7f6a4a6b
Instruction Fuzzy Hash: 34714A7290430ABBDB209FA4DC49BAEBFB8BF05301F184115FA59F6291D7719905DB70

Function 00D3833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D3835A
_wcslen.LIBCMT ref: 00D3836E
_wcslen.LIBCMT ref: 00D38391
_wcslen.LIBCMT ref: 00D383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D3361A,?), ref: 00D3844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D38487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D38501
FreeLibrary.KERNEL32(?), ref: 00D3850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D3851D
DestroyIcon.USER32(?), ref: 00D3852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D38549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D38555

Strings

@U=u, xrefs: 00D38535
.icl, xrefs: 00D38368
.exe, xrefs: 00D38388
.dll, xrefs: 00D383AB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: 2327a2e529bac81f85e6291f0435a3c5f3bbecf463a8ae7369f751591b53df34
Instruction ID: 80373adbc33ff2bf96da3b01d3a4d3c63fa2399457da6bedba7817a695b7681a
Opcode Fuzzy Hash: 2327a2e529bac81f85e6291f0435a3c5f3bbecf463a8ae7369f751591b53df34
Instruction Fuzzy Hash: 5761B072550319BEEB14DF64CC41BBE77A8BB08711F108609F815E61D1DB74A984E7B0

Function 00D2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D3CC08,00000000,?,00000000,?,?), ref: 00D2C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D2C5A4
_wcslen.LIBCMT ref: 00D2C5F4
_wcslen.LIBCMT ref: 00D2C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D2C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D2C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D2C84D
RegCloseKey.ADVAPI32(?), ref: 00D2C881
RegCloseKey.ADVAPI32(00000000), ref: 00D2C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D2C960

Strings

REG_MULTI_SZ, xrefs: 00D2C6F5
REG_QWORD, xrefs: 00D2C8C3
REG_SZ, xrefs: 00D2C644
REG_EXPAND_SZ, xrefs: 00D2C5CD
REG_BINARY, xrefs: 00D2C913
REG_DWORD, xrefs: 00D2C804

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 1873073e4e14f0ac9498e091728a20d999577d2b85ba8eaf8764b8c8388cc809
Instruction ID: f60e4a80d2d100d9503ec0279d1533cce5f8ec37165ee353fb95c8e548f7c0ed
Opcode Fuzzy Hash: 1873073e4e14f0ac9498e091728a20d999577d2b85ba8eaf8764b8c8388cc809
Instruction Fuzzy Hash: 4A1279356142119FCB14EF14D891A2AB7E5FF89718F08895CF88A9B3A2DB31FC41DB91

Function 00D2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
_wcslen.LIBCMT ref: 00D2C9F1
_wcslen.LIBCMT ref: 00D2CA68
_wcslen.LIBCMT ref: 00D2CA9E
_wcslen.LIBCMT ref: 00D2CAF9
_wcslen.LIBCMT ref: 00D2CB2F
_wcslen.LIBCMT ref: 00D2CB7F

Strings

HKLM, xrefs: 00D2CA98, 00D2CA9D
HKEY_CURRENT_CONFIG, xrefs: 00D2CB79, 00D2CB7E
HKCC, xrefs: 00D2CBAC
HKEY_USERS, xrefs: 00D2CBDF
HKEY_CLASSES_ROOT, xrefs: 00D2CAF3, 00D2CAF8
HKU, xrefs: 00D2CBF0
HKCU, xrefs: 00D2CBCE
HKCR, xrefs: 00D2CB29, 00D2CB2E
HKEY_LOCAL_MACHINE, xrefs: 00D2CA62, 00D2CA67
HKEY_CURRENT_USER, xrefs: 00D2CBBD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5170d8fc2b86666d183d8b5d9a6d72f2c0609f88828009b4034a28c32ab21428
Instruction ID: d991bdd8703270463ce5ecb17be1386107f9208c5a86195212718380490514b0
Opcode Fuzzy Hash: 5170d8fc2b86666d183d8b5d9a6d72f2c0609f88828009b4034a28c32ab21428
Instruction Fuzzy Hash: F171F532A2013A8BCB20DE7CED516BE3395AFB175CF295528F86697284E631CD45D3B0

Function 00CA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00CA785F, 00CA78B1
#include, xrefs: 00CA7847
#pragma compile, xrefs: 00CA77D3
#comments-end, xrefs: 00CA78D9
Cannot parse #include, xrefs: 00CE5279
#notrayicon, xrefs: 00CA77E7
#ce, xrefs: 00CA78ED
", xrefs: 00CE5153
#include-once, xrefs: 00CA782F
#OnAutoItStartRegister, xrefs: 00CA7817
Bad directive syntax error, xrefs: 00CE519A
', xrefs: 00CE5169
Unterminated group of comments, xrefs: 00CE528C
#requireadmin, xrefs: 00CA77FF
#cs, xrefs: 00CA7873, 00CA78C5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d8692b09ba4b643b217a291111f3183e67931c6912d21c6ad23a47e85185da40
Instruction ID: cfa30fdd2e80b246e89fd29813be2aa041b6656faa1ec8be89cdf2e79000f38a
Opcode Fuzzy Hash: d8692b09ba4b643b217a291111f3183e67931c6912d21c6ad23a47e85185da40
Instruction Fuzzy Hash: DD81E771A44606BFDB21AF61DC42FAF37A8BF16304F044128F915EA192EB70DA15E7A1

Function 00D3856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D38592
GetFileSize.KERNEL32(00000000,00000000), ref: 00D385A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D385AD
CloseHandle.KERNEL32(00000000), ref: 00D385BA
GlobalLock.KERNEL32(00000000), ref: 00D385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D385D7
GlobalUnlock.KERNEL32(00000000), ref: 00D385E0
CloseHandle.KERNEL32(00000000), ref: 00D385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D385F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D3FC38,?), ref: 00D38611
GlobalFree.KERNEL32(00000000), ref: 00D38621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D38641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D38671
DeleteObject.GDI32(00000000), ref: 00D38699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D386AF

Strings

@U=u, xrefs: 00D386AF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: e22736b21b7cae7145e53d9fc6b045884679b13684a7196a95b179e2355ffed9
Instruction ID: a40dd1d74b4fc8dcde1023d1679a79d38bcd8b580ce9f08c8cef4d0c0425b42a
Opcode Fuzzy Hash: e22736b21b7cae7145e53d9fc6b045884679b13684a7196a95b179e2355ffed9
Instruction Fuzzy Hash: 2E41F875610308AFDB119FA5DC89EAB7BB8FF89B11F148058F906E7260DB709901DB70

Function 00CC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00CC00C6

Part of subcall function 00CC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D7070C,00000FA0,5B91761E,?,?,?,?,00CE23B3,000000FF), ref: 00CC011C
Part of subcall function 00CC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CE23B3,000000FF), ref: 00CC0127
Part of subcall function 00CC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CE23B3,000000FF), ref: 00CC0138
Part of subcall function 00CC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CC014E
Part of subcall function 00CC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CC015C
Part of subcall function 00CC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CC016A
Part of subcall function 00CC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CC0195
Part of subcall function 00CC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CC01A0

___scrt_fastfail.LIBCMT ref: 00CC00E7

Part of subcall function 00CC00A3: __onexit.LIBCMT ref: 00CC00A9

Strings

InitializeConditionVariable, xrefs: 00CC0148
SleepConditionVariableCS, xrefs: 00CC0154
WakeAllConditionVariable, xrefs: 00CC0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CC0122
kernel32.dll, xrefs: 00CC0133

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: dd8176a3b03b03b9520452313d437de1398a12d5dfdbe32d9b5199271203e925
Instruction ID: fde1d35d1f610a9ce317e4e1f896199d0f9f58162f3df752ce00edff3bfa26f9
Opcode Fuzzy Hash: dd8176a3b03b03b9520452313d437de1398a12d5dfdbe32d9b5199271203e925
Instruction Fuzzy Hash: FD21F632A44710EFE7115BA4EC0AF6EB7A8DB04B61F24013DF815E23D1DBB09C009AB0

Function 00D030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0318D
_wcslen.LIBCMT ref: 00D031F8

Strings

TEXT, xrefs: 00D0347C
INSTANCE, xrefs: 00D03453
NAME, xrefs: 00D03335, 00D03346
CLASSNN, xrefs: 00D031F3, 00D03204
REGEXPCLASS, xrefs: 00D03255, 00D03266
CLASS, xrefs: 00D03188, 00D031A5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 71b8f02a73055f1e75a3b95b96e5f666fc9b52a09bf72f89daa63dd3028aaf5d
Instruction ID: d409a885a5b9411ad61e7e5b6b437338b94dd0e25a2ad8f3a943beba4f715d6a
Opcode Fuzzy Hash: 71b8f02a73055f1e75a3b95b96e5f666fc9b52a09bf72f89daa63dd3028aaf5d
Instruction Fuzzy Hash: D5E1B631A00616AFCB18DF78C855BEDBBB8BF54710F588119E45AB7290DB30AE85D7B0

Function 00D144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D3CC08), ref: 00D14527
_wcslen.LIBCMT ref: 00D1453B
_wcslen.LIBCMT ref: 00D14599
_wcslen.LIBCMT ref: 00D145F4
_wcslen.LIBCMT ref: 00D1463F
_wcslen.LIBCMT ref: 00D146A7

Part of subcall function 00CBF9F2: _wcslen.LIBCMT ref: 00CBF9FD

GetDriveTypeW.KERNEL32(?,00D66BF0,00000061), ref: 00D14743

Strings

ramdisk, xrefs: 00D146F1
all, xrefs: 00D14531, 00D14536
cdrom, xrefs: 00D1458F, 00D14594
unknown, xrefs: 00D14708
removable, xrefs: 00D145EA, 00D145EF
network, xrefs: 00D1469D, 00D146A2
fixed, xrefs: 00D14635, 00D1463A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 808e446bd63471fc060c039590369d265aee0eca5db39ede067b411523307e99
Instruction ID: 221aaffe8fd132560dcf6fc61617fd8ed99be1367127ec12c7009272d09dab0a
Opcode Fuzzy Hash: 808e446bd63471fc060c039590369d265aee0eca5db39ede067b411523307e99
Instruction Fuzzy Hash: 96B1E571608302AFC710DF28E890AAEB7E5BF96764F54891DF496C7291DB30D885C7B2

Function 00D36CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D36DEB

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D36E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D36E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D36E94
DestroyWindow.USER32(?), ref: 00D36EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CA0000,00000000), ref: 00D36EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D36EFD
GetDesktopWindow.USER32 ref: 00D36F16
GetWindowRect.USER32(00000000), ref: 00D36F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D36F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D36F4D

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

Strings

@U=u, xrefs: 00D36E81, 00D36E94, 00D36EFD, 00D36F27
tooltips_class32, xrefs: 00D36E58, 00D36EDD
0, xrefs: 00D36D98

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: d7e3c8fea6d08ccf949d11254cbf30784a779aaeec1b4f93ba81b416fdb80cf0
Instruction ID: e71a162091a229cd13980a223d2928935d4862fbe79a8c609cd2315231552225
Opcode Fuzzy Hash: d7e3c8fea6d08ccf949d11254cbf30784a779aaeec1b4f93ba81b416fdb80cf0
Instruction Fuzzy Hash: 6D716574104345AFDB21CF18D844BAABBE9FF89304F08891DFA99D7261D770E94ADB21

Function 00D3911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DragQueryPoint.SHELL32(?,?), ref: 00D39147

Part of subcall function 00D37674: ClientToScreen.USER32(?,?), ref: 00D3769A
Part of subcall function 00D37674: GetWindowRect.USER32(?,?), ref: 00D37710
Part of subcall function 00D37674: PtInRect.USER32(?,?,00D38B89), ref: 00D37720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D39225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D3923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D39255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D39277
DragFinish.SHELL32(?), ref: 00D3927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D39371

Strings

@GUI_DRAGFILE, xrefs: 00D39320
@U=u, xrefs: 00D391B0, 00D39225, 00D3923E, 00D39255, 00D39277
@GUI_DRAGID, xrefs: 00D392E9
@GUI_DROPID, xrefs: 00D3929E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-762882726
Opcode ID: 93bde1902445d0c6da4dc58f8d8bd4f542444229136a5ec933c1fb2f366565fd
Instruction ID: 1671d3ddfaeb6571626d8f4720e3d99339745db1ef9c7ea9f290c2e820b46cee
Opcode Fuzzy Hash: 93bde1902445d0c6da4dc58f8d8bd4f542444229136a5ec933c1fb2f366565fd
Instruction Fuzzy Hash: 7B617C71108301AFC701EF64DC85DAFBBE8EF89754F400A1EF595932A1DB70AA49CB62

Function 00D2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B1D4
_wcslen.LIBCMT ref: 00D2B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D2B236
_wcslen.LIBCMT ref: 00D2B332

Part of subcall function 00D105A7: GetStdHandle.KERNEL32(000000F6), ref: 00D105C6

_wcslen.LIBCMT ref: 00D2B34B
_wcslen.LIBCMT ref: 00D2B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D2B3B6
GetLastError.KERNEL32(00000000), ref: 00D2B407
CloseHandle.KERNEL32(?), ref: 00D2B439
CloseHandle.KERNEL32(00000000), ref: 00D2B44A
CloseHandle.KERNEL32(00000000), ref: 00D2B45C
CloseHandle.KERNEL32(00000000), ref: 00D2B46E
CloseHandle.KERNEL32(?), ref: 00D2B4E3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b764e0701a423af9379af297aeb6766ca0474a948c07d856b1b46da87d0e8bcf
Instruction ID: 46dc00a78bccf2dfd4424939369b9c840b04c59a9468470192deb6de4e13d63e
Opcode Fuzzy Hash: b764e0701a423af9379af297aeb6766ca0474a948c07d856b1b46da87d0e8bcf
Instruction Fuzzy Hash: E4F1BD315043119FC714EF24D891B6EBBE5BF85328F18855EF8959B2A2CB71EC41CB62

Function 00CA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D71990), ref: 00CE2F8D
GetMenuItemCount.USER32(00D71990), ref: 00CE303D
GetCursorPos.USER32(?), ref: 00CE3081
SetForegroundWindow.USER32(00000000), ref: 00CE308A
TrackPopupMenuEx.USER32(00D71990,00000000,?,00000000,00000000,00000000), ref: 00CE309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CE30A9

Strings

0, xrefs: 00CA327D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a9887a70c89b5bc31d4a4b7f6847cbc4c82d692ce8a8078fdb648afb3ee71851
Instruction ID: ccda7e0bb27ee6fa82106a336eda3367176bb6b20cf6ac65833d6e76b09c4b76
Opcode Fuzzy Hash: a9887a70c89b5bc31d4a4b7f6847cbc4c82d692ce8a8078fdb648afb3ee71851
Instruction Fuzzy Hash: DF713A31644296BEFB218F66CC49F9ABF68FF01324F244206F524AA1E1C7B1AE50D760

Function 00D1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D1C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D1C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D1C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D1C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D1C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D1C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D1C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D1C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D1C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D1C5F0
InternetCloseHandle.WININET(00000000), ref: 00D1C5FB

Strings

, xrefs: 00D1C575

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f332af82a9db512e2624588e08802540656052b813ed23972a9b727a85748470
Instruction ID: 940f1c7540467d7382e2b742b9556be814cf3a737c09e071be3feb3d51922dd9
Opcode Fuzzy Hash: f332af82a9db512e2624588e08802540656052b813ed23972a9b727a85748470
Instruction Fuzzy Hash: 5C5139B1550308BFEB218FA4D988ABB7BBDFF08754F046419F945E6210EB34E9849B70

Function 00D114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D11502
VariantCopy.OLEAUT32(?,?), ref: 00D1150B
VariantClear.OLEAUT32(?), ref: 00D11517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D11657
VariantInit.OLEAUT32(?), ref: 00D11708
SysFreeString.OLEAUT32(?), ref: 00D1178C
VariantClear.OLEAUT32(?), ref: 00D117D8
VariantClear.OLEAUT32(?), ref: 00D117E7
VariantInit.OLEAUT32(00000000), ref: 00D11823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D11625
Default, xrefs: 00D116AF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a9f4ff62f1fa1bcb21901fd98cf55342844a1ab711fdba238ce5bdbf060756e7
Instruction ID: c3dadcc3d7f2e9ccd4c87ba5f62a7f5dc0124d6375d8be9d0007eab191f180c7
Opcode Fuzzy Hash: a9f4ff62f1fa1bcb21901fd98cf55342844a1ab711fdba238ce5bdbf060756e7
Instruction Fuzzy Hash: 37D11235600615EBEB109F64E885BFDB7B6BF45700F148459E686AB280DF30EC85EB72

Function 00D2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D2B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D2B80A
RegCloseKey.ADVAPI32(?), ref: 00D2B87E
RegCloseKey.ADVAPI32(?), ref: 00D2B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D2B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D2B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D2B922
FreeLibrary.KERNEL32(00000000), ref: 00D2B983
RegCloseKey.ADVAPI32(00000000), ref: 00D2B994

Strings

advapi32.dll, xrefs: 00D2B8ED
RegDeleteKeyExW, xrefs: 00D2B8FE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 01c4354109b1cb76685b72e5a53db132a5562a063fbcd13233f3a286c5e40cdd
Instruction ID: bc22ff7871be43ad9630e35b017401a877c4d83c9fd33a2339c6c1d8819a4725
Opcode Fuzzy Hash: 01c4354109b1cb76685b72e5a53db132a5562a063fbcd13233f3a286c5e40cdd
Instruction Fuzzy Hash: 53C1AC30208212AFD714DF24D495F2ABBE1FF95318F18845DE49A8B2A2CB71EC45DBA1

Function 00D3541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D35504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D35515
CharNextW.USER32(00000158), ref: 00D35544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D35585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D3559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D355AC

Strings

@U=u, xrefs: 00D35504, 00D35515, 00D3554A, 00D355C9, 00D3562B, 00D35816

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: 5ac4af71d97416a6c132c8255c4cd284bd17cfc6faf810a5b266b90db8f936f2
Instruction ID: 72320c77fa266fa27b0357ca1e9e9371820145a8c8ea4d132eac455f4572114c
Opcode Fuzzy Hash: 5ac4af71d97416a6c132c8255c4cd284bd17cfc6faf810a5b266b90db8f936f2
Instruction Fuzzy Hash: EF619B75900608EFDF10CF94EC85AFE7BB9EB0A320F148155F965AB2A4D7709A80DB70

Function 00D2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D225E8
CreateCompatibleDC.GDI32(?), ref: 00D225F4
SelectObject.GDI32(00000000,?), ref: 00D22601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D2266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D226D0
SelectObject.GDI32(?,?), ref: 00D226D8
DeleteObject.GDI32(?), ref: 00D226E1
DeleteDC.GDI32(?), ref: 00D226E8
ReleaseDC.USER32(00000000,?), ref: 00D226F3

Strings

(, xrefs: 00D2268D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: eab038ff532123ae692a644f821c9f56044b735d37f0f6428666629944032597
Instruction ID: 1ba8000686d7f4ff778d514136c2c28d88c18fd0f8a39526703281d3503894a6
Opcode Fuzzy Hash: eab038ff532123ae692a644f821c9f56044b735d37f0f6428666629944032597
Instruction Fuzzy Hash: E261F176D00219EFCF14CFA8D884AAEBBB6FF48310F208529E955A7350D770A941DFA0

Function 00D0E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D0E6B4

Part of subcall function 00CBE551: timeGetTime.WINMM(?,?,00D0E6D4), ref: 00CBE555

Sleep.KERNEL32(0000000A), ref: 00D0E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D0E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D0E727
SetActiveWindow.USER32 ref: 00D0E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D0E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D0E773
Sleep.KERNEL32(000000FA), ref: 00D0E77E
IsWindow.USER32 ref: 00D0E78A
EndDialog.USER32(00000000), ref: 00D0E79B

Strings

@U=u, xrefs: 00D0E754, 00D0E773
BUTTON, xrefs: 00D0E719

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 89a976dc9143a353d544e9edab0e40fc9ba0c9185e250aae8f42de09b9c78290
Instruction ID: 76ebee6333d3adeb6773868d8cdb5ad804ce65cba2feb4f9268f56cabad086fd
Opcode Fuzzy Hash: 89a976dc9143a353d544e9edab0e40fc9ba0c9185e250aae8f42de09b9c78290
Instruction Fuzzy Hash: 55216FB0210344AFEB006F65EC8AB393B69E794749F541825F50ED13F1EB71AC409B34

Function 00CDDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CDDAA1

Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD659
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD66B
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD67D
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD68F
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6A1
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6B3
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6C5
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6D7
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6E9
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD6FB
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD70D
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD71F
Part of subcall function 00CDD63C: _free.LIBCMT ref: 00CDD731

_free.LIBCMT ref: 00CDDA96

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDDAB8
_free.LIBCMT ref: 00CDDACD
_free.LIBCMT ref: 00CDDAD8
_free.LIBCMT ref: 00CDDAFA
_free.LIBCMT ref: 00CDDB0D
_free.LIBCMT ref: 00CDDB1B
_free.LIBCMT ref: 00CDDB26
_free.LIBCMT ref: 00CDDB5E
_free.LIBCMT ref: 00CDDB65
_free.LIBCMT ref: 00CDDB82
_free.LIBCMT ref: 00CDDB9A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: dd6731532c12c81b4af2ce8022cba73fbedebb5e0d48e8a0eef06c1ab5ca8373
Instruction ID: 3391ffcc548399693e0afd159a4d7ee267c3f8b4340c564c4755e94fb6436180
Opcode Fuzzy Hash: dd6731532c12c81b4af2ce8022cba73fbedebb5e0d48e8a0eef06c1ab5ca8373
Instruction Fuzzy Hash: D6314D31A04705AFEB21AA39E845B56B7E9FF10314F15441BF66AD7391DF31ED80A720

Function 00D0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D0369C
_wcslen.LIBCMT ref: 00D036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D03797
GetClassNameW.USER32(?,?,00000400), ref: 00D0380C
GetDlgCtrlID.USER32(?), ref: 00D0385D
GetWindowRect.USER32(?,?), ref: 00D03882
GetParent.USER32(?), ref: 00D038A0
ScreenToClient.USER32(00000000), ref: 00D038A7
GetClassNameW.USER32(?,?,00000100), ref: 00D03921
GetWindowTextW.USER32(?,?,00000400), ref: 00D0395D

Strings

%s%u, xrefs: 00D03734

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 8744761ee3cb316db3cdc610dd45de803213cd5a379e01a2b74526405574f43f
Instruction ID: 48660c12341ea7d92af5bf93798a0a462bcded79d2eee085f79f62a86fb5f6f3
Opcode Fuzzy Hash: 8744761ee3cb316db3cdc610dd45de803213cd5a379e01a2b74526405574f43f
Instruction Fuzzy Hash: D9918B71204706AFD719DF24D885FAAB7ACFF48350F448629F999D2190DB30EA45CBA1

Function 00D04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D04994
GetWindowTextW.USER32(?,?,00000400), ref: 00D049DA
_wcslen.LIBCMT ref: 00D049EB
CharUpperBuffW.USER32(?,00000000), ref: 00D049F7
_wcsstr.LIBVCRUNTIME ref: 00D04A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D04A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D04A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D04AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D04B20
GetWindowRect.USER32(?,?), ref: 00D04B8B

Strings

ThumbnailClass, xrefs: 00D04A6F, 00D04AF1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 4f84d1df224a48ed67b8b02ac0fd8e0529695ac624c7b2abbfcb542d80c540a8
Instruction ID: 3a37b2a8794b643f17f9e50291b6fc7faff372ba965a7ac0c1bb30697522b960
Opcode Fuzzy Hash: 4f84d1df224a48ed67b8b02ac0fd8e0529695ac624c7b2abbfcb542d80c540a8
Instruction Fuzzy Hash: 80918AB21043059BDB14DF14C985FAAB7E8EF84354F088469FE899A1D6EB30ED45CBB1

Function 00D38D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D38D5A
GetFocus.USER32 ref: 00D38D6A
GetDlgCtrlID.USER32(00000000), ref: 00D38D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00D38E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D38ECF
GetMenuItemCount.USER32(?), ref: 00D38EEC
GetMenuItemID.USER32(?,00000000), ref: 00D38EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D38F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D38F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D38FA1

Strings

0, xrefs: 00D38E9F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 4cbc93597011caf75edb8b4763f8b312b164482626772d101095b93dbe005005
Instruction ID: cf074824aa9b9be1e5f6ab47945a49a7ceb48e004585dcd852f7e5fe8e548c06
Opcode Fuzzy Hash: 4cbc93597011caf75edb8b4763f8b312b164482626772d101095b93dbe005005
Instruction Fuzzy Hash: F7818C71508301AFD720DF24D884AABBBE9FF88354F180A19F995E7291DB71D901EBB1

Function 00D0DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D0DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D0DC46
_wcslen.LIBCMT ref: 00D0DC50
_wcsstr.LIBVCRUNTIME ref: 00D0DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D0DCBC

Strings

\VarFileInfo\Translation, xrefs: 00D0DCB4
%u.%u.%u.%u, xrefs: 00D0DD9A
StringFileInfo\, xrefs: 00D0DC8F
DefaultLangCodepage, xrefs: 00D0DD1F
04090000, xrefs: 00D0DCF2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 5b8aedd7df7d5f3de187e91cd6a3ba6534214000bd92588f1c0d0e6fc8b2f702
Instruction ID: 28547e41a7248da5470c6702ce9d90955411281e3e0da9cee242da1a29258c91
Opcode Fuzzy Hash: 5b8aedd7df7d5f3de187e91cd6a3ba6534214000bd92588f1c0d0e6fc8b2f702
Instruction Fuzzy Hash: 8E41DD72A403017AEB14A7B4DC47FBF77ACEF56710F14006AF904A62C2EA70DA01A7B4

Function 00D2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D2CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D2CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D2CD48

Part of subcall function 00D2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D2CCAA
Part of subcall function 00D2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D2CCBD
Part of subcall function 00D2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D2CCCF
Part of subcall function 00D2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D2CD05
Part of subcall function 00D2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D2CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D2CCF3

Strings

advapi32.dll, xrefs: 00D2CCB8
RegDeleteKeyExW, xrefs: 00D2CCC9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 786015e420513302bc408ac20e04b014df72e423c0c411adffb44d5425c1240b
Instruction ID: 2de7f78c83ee8677653588e72d810b69fe16008ffac16aa85ee1c9c5bde080ef
Opcode Fuzzy Hash: 786015e420513302bc408ac20e04b014df72e423c0c411adffb44d5425c1240b
Instruction Fuzzy Hash: 45318E76911228BBDB208B61EC88EFFBB7CEF15744F041165A905E3240DA749E45EBB0

Function 00D0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D0EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D0EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D0EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D0EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D0EAA7

Strings

play PlayMe, xrefs: 00D0EAA2
status PlayMe mode, xrefs: 00D0EA58
alias PlayMe, xrefs: 00D0EA36
open , xrefs: 00D0EA0C
play PlayMe wait, xrefs: 00D0EA91
close PlayMe, xrefs: 00D0EA6E, 00D0EA9B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8aa042ce4880a94f32e88af18aefb914140c9662b26cfe2fb02d93c4aef0d681
Instruction ID: d90bb80301aa0cb6218e8d344da907bbd82c2dbe02d09a77e4a81e100cda80c4
Opcode Fuzzy Hash: 8aa042ce4880a94f32e88af18aefb914140c9662b26cfe2fb02d93c4aef0d681
Instruction Fuzzy Hash: 26117731B902597ED710A762DC4AEFF6B7CEBD6B44F04082AB805A20D1EFB04D09C9B0

Function 00D05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D05CE2
GetWindowRect.USER32(00000000,?), ref: 00D05CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D05D59
GetDlgItem.USER32(?,00000002), ref: 00D05D69
GetWindowRect.USER32(00000000,?), ref: 00D05D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D05DCF
GetDlgItem.USER32(?,000003E9), ref: 00D05DDD
GetWindowRect.USER32(00000000,?), ref: 00D05DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D05E31
GetDlgItem.USER32(?,000003EA), ref: 00D05E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D05E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D05E67

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f4eec89ef350484919bc692bfa2318abd57f694373f902c7233c6caf09b34371
Instruction ID: 465d87c4009b582628dec39f5b57ad86c8075314dca66a6c3334c62878ef157d
Opcode Fuzzy Hash: f4eec89ef350484919bc692bfa2318abd57f694373f902c7233c6caf09b34371
Instruction Fuzzy Hash: FA51FCB1A10715AFDB18CF68DD89BAEBBB5EB48300F149129F919E7294D7709E04CF60

Function 00CB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CB8BE8,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CB8FC5

DestroyWindow.USER32(?), ref: 00CB8C81
KillTimer.USER32(00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CB8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00CF6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CF69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00CB8BBA,00000000,?), ref: 00CF69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CB8BBA,00000000), ref: 00CF69D4
DeleteObject.GDI32(00000000), ref: 00CF69E6

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 22ee5d5c48cc25624b71506e595532fc47157bf5d994e3a1c59ff2caca0c14e3
Instruction ID: 761f0040b377e08809a2fcdf57fc1c61f057cfac240b726fc6e3e58734c14270
Opcode Fuzzy Hash: 22ee5d5c48cc25624b71506e595532fc47157bf5d994e3a1c59ff2caca0c14e3
Instruction Fuzzy Hash: 1861DC75102705DFCB258F28C948BB57BF5FB04312F144618E2669B6A0CB71AEC5EFA1

Function 00CB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

GetSysColor.USER32(0000000F), ref: 00CB9862

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 687f79a1a4f7c9e6973fed6b7daa3ed6e5a958516e8f0735b7344efa278f91e4
Instruction ID: 0e47c3c06878a4c824c67f028d5299e40de8cda3955cbb255db9264bc831aaff
Opcode Fuzzy Hash: 687f79a1a4f7c9e6973fed6b7daa3ed6e5a958516e8f0735b7344efa278f91e4
Instruction Fuzzy Hash: F0417B31504744AFDB215B389C88BB93BA5EB06320F145619EAB69B2E1D7329942EB21

Function 00D350D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D35186
ShowWindow.USER32(?,00000000), ref: 00D351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D351D1

Part of subcall function 00D36FBA: DeleteObject.GDI32(00000000), ref: 00D36FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D3520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D3521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D3524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D35287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D35296

Strings

@U=u, xrefs: 00D35186

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: a344597cfbb26565dfa29f94c175072e10b5e026501038029113c6f06dad5d3f
Instruction ID: 8962af9d4dbba6fa28f7a6f9ca7fdbd39df2e76aeb66cd73063f624c0fb66a6c
Opcode Fuzzy Hash: a344597cfbb26565dfa29f94c175072e10b5e026501038029113c6f06dad5d3f
Instruction Fuzzy Hash: 8651B134A50B08BFEF209F24EC4ABD93BA5FB05361F184111FA19A62E4C775A990DB74

Function 00CB8B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CF6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CF68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CF68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CF68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CF68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00CF6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CF691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00CF692D

Strings

@U=u, xrefs: 00CF68F2, 00CF691E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: f0e1eb7b0d056ca9f3d0f7ae3bb567ffa7f74c46cb2b21f5170359d82c4cb9ed
Instruction ID: eb87e14ff9ed5ded551489c0a13ed2e4bbd06ae04357b18022925f288c7b7b95
Opcode Fuzzy Hash: f0e1eb7b0d056ca9f3d0f7ae3bb567ffa7f74c46cb2b21f5170359d82c4cb9ed
Instruction Fuzzy Hash: CD516974610309AFDB20CF25CC55BAA7BB9EB58750F104518FA66E72A0DB70EA90DB60

Function 00D096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D09717
LoadStringW.USER32(00000000,?,00CEF7F8,00000001), ref: 00D09720

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D09742
LoadStringW.USER32(00000000,?,00CEF7F8,00000001), ref: 00D09745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D09866

Strings

Line %d:, xrefs: 00D097A0
^ ERROR, xrefs: 00D097FB
Line %d (File "%s"):, xrefs: 00D0978F
%s (%d) : ==> %s: %s %s, xrefs: 00D0984A
Error: , xrefs: 00D0981D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 367c940e0821cb57f4e8a7bf6c48a164f3ece6c7a64d40be3b93f17af6bd8220
Instruction ID: d2adefb47e0059913f3a0af79967a7d52831bb551ff8a09fb69a15a616084ec9
Opcode Fuzzy Hash: 367c940e0821cb57f4e8a7bf6c48a164f3ece6c7a64d40be3b93f17af6bd8220
Instruction Fuzzy Hash: FC413A7280421AAACF04EBE0DD96EEEB778EF56344F104025F505B21A2EB356F49DB71

Function 00D006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D00804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D0082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D00837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D0083C

Strings

\IPC$, xrefs: 00D00784
\CLSID, xrefs: 00D00724
SOFTWARE\Classes\, xrefs: 00D0070E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 93db61a4246c1549138666896e73e521a92a7514bfb83369150d0e8b457cea9e
Instruction ID: 5a26cce277adeae298332fe37dd9573856a3d5e51147b8dd3eab493e2db2f02d
Opcode Fuzzy Hash: 93db61a4246c1549138666896e73e521a92a7514bfb83369150d0e8b457cea9e
Instruction Fuzzy Hash: 5C41F772C10229ABDF15EBA4DC959EEB778FF44354F044129E905B32A1EB349E44DFA0

Function 00D23C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D23C5C
CoInitialize.OLE32(00000000), ref: 00D23C8A
CoUninitialize.OLE32 ref: 00D23C94
_wcslen.LIBCMT ref: 00D23D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D23DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D23ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D23F0E
CoGetObject.OLE32(?,00000000,00D3FB98,?), ref: 00D23F2D
SetErrorMode.KERNEL32(00000000), ref: 00D23F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D23FC4
VariantClear.OLEAUT32(?), ref: 00D23FD8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: ddcc5ef78c7fd59c937aebfcb5f4e68c6b0eae3d510c6de0ab943fc6fd90d5bc
Instruction ID: 970f68a6ca11f1229a70018133e95470c6733876e1be53089ce5f8429712bb19
Opcode Fuzzy Hash: ddcc5ef78c7fd59c937aebfcb5f4e68c6b0eae3d510c6de0ab943fc6fd90d5bc
Instruction Fuzzy Hash: E6C14471608315AFC700DF68D88492BBBE9FF99748F04495DF98A9B210D735EE05CB62

Function 00D17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D17AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D17B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D17BA3
CoCreateInstance.OLE32(00D3FD08,00000000,00000001,00D66E6C,?), ref: 00D17BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D17C74
CoTaskMemFree.OLE32(?,?), ref: 00D17CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D17D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D17D7A
CoTaskMemFree.OLE32(00000000), ref: 00D17D81
CoTaskMemFree.OLE32(00000000), ref: 00D17DD6
CoUninitialize.OLE32 ref: 00D17DDC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 13f543bf99bef56ea7e08f8a73eb4671a27b115dd48519b0b3e24f8c845a5ec2
Instruction ID: af2565c1fe30a6c7b5a2e406ea2689bd38f6dce068c8e8197fb8ad021e922934
Opcode Fuzzy Hash: 13f543bf99bef56ea7e08f8a73eb4671a27b115dd48519b0b3e24f8c845a5ec2
Instruction Fuzzy Hash: 95C10A75A04209AFCB14DFA4D884DAEBBF5FF48314B148499E516DB361DB30EE85CBA0

Function 00CFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CFFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00CFFB08
VariantInit.OLEAUT32(?), ref: 00CFFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CFFB3A
VariantCopy.OLEAUT32(?,?), ref: 00CFFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CFFBA1
VariantClear.OLEAUT32(?), ref: 00CFFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CFFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CFFBCC
VariantClear.OLEAUT32(?), ref: 00CFFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CFFBE9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a2598741ca4a011104574fc29859c7926ef447d58185d06e9a314533ea1284a5
Instruction ID: ed1f858ebcc4b49b22275ccf6498c6e8de1140f1be4f7a6c5a3af1ea3ed9aff1
Opcode Fuzzy Hash: a2598741ca4a011104574fc29859c7926ef447d58185d06e9a314533ea1284a5
Instruction Fuzzy Hash: 28412035A0021D9FCB10DFA4D8549FEBBB9EF48354F008069E955E7361DB30A946DBA1

Function 00D09C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D09CA1
GetAsyncKeyState.USER32(000000A0), ref: 00D09D22
GetKeyState.USER32(000000A0), ref: 00D09D3D
GetAsyncKeyState.USER32(000000A1), ref: 00D09D57
GetKeyState.USER32(000000A1), ref: 00D09D6C
GetAsyncKeyState.USER32(00000011), ref: 00D09D84
GetKeyState.USER32(00000011), ref: 00D09D96
GetAsyncKeyState.USER32(00000012), ref: 00D09DAE
GetKeyState.USER32(00000012), ref: 00D09DC0
GetAsyncKeyState.USER32(0000005B), ref: 00D09DD8
GetKeyState.USER32(0000005B), ref: 00D09DEA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8470b94497d9da61ddc0451c1409fcaab9668525f410ee01a01752b7be440b50
Instruction ID: 13ba441eb4f1c1b7965baad346f858eb9f0614d61f665dc165530e12161c3a8b
Opcode Fuzzy Hash: 8470b94497d9da61ddc0451c1409fcaab9668525f410ee01a01752b7be440b50
Instruction Fuzzy Hash: 0A4196349447C969FF319764C8243B5FEA06B51344F0C805ADACA566C3EBA59DC8C7B2

Function 00D2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D205BC
inet_addr.WSOCK32(?), ref: 00D2061C
gethostbyname.WSOCK32(?), ref: 00D20628
IcmpCreateFile.IPHLPAPI ref: 00D20636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D207B9
WSACleanup.WSOCK32 ref: 00D207BF

Strings

Ping, xrefs: 00D20676

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a24c2f0cdf8d7653d5261637dcf9bdef593f2d5f7b62f281aee5a6274e8f92dc
Instruction ID: 8ac7d59377c31ad2aff0e339b07f9f7a2d0f42b2b179f811984d4aa47148881b
Opcode Fuzzy Hash: a24c2f0cdf8d7653d5261637dcf9bdef593f2d5f7b62f281aee5a6274e8f92dc
Instruction Fuzzy Hash: 10917A756083119FD320DF15D889F1ABBE0AF54318F1885A9E4A99B7A3C730ED45CFA1

Function 00D28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D28CF3

Part of subcall function 00D08E54: _wcslen.LIBCMT ref: 00D08E77

_wcslen.LIBCMT ref: 00D28D4E
_wcslen.LIBCMT ref: 00D28D9C
_wcslen.LIBCMT ref: 00D28DDC
_wcslen.LIBCMT ref: 00D28E6E

Strings

winapi, xrefs: 00D28D96, 00D28D9B
none, xrefs: 00D28E65, 00D28E6A
stdcall, xrefs: 00D28DD6, 00D28DDB
cdecl, xrefs: 00D28D48, 00D28D4D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d1045b417f3a603548cc64522e61d18d6cee3bce4734fee67f64e0a337f9c0da
Instruction ID: f34fdba10b3b163cd9122447bf491874f8b4787da17cd7bff6046d6157645470
Opcode Fuzzy Hash: d1045b417f3a603548cc64522e61d18d6cee3bce4734fee67f64e0a337f9c0da
Instruction Fuzzy Hash: 3D51C331A051269BCB14DF68D8409BEB3A5BF75328B294229F466E72C4DB32DD44E7A0

Function 00D2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D23774
CoUninitialize.OLE32 ref: 00D2377F
CoCreateInstance.OLE32(?,00000000,00000017,00D3FB78,?), ref: 00D237D9
IIDFromString.OLE32(?,?), ref: 00D2384C
VariantInit.OLEAUT32(?), ref: 00D238E4
VariantClear.OLEAUT32(?), ref: 00D23936

Strings

NULL Pointer assignment, xrefs: 00D2381E
Failed to create object, xrefs: 00D237E4, 00D2389A
Invalid parameter, xrefs: 00D23865

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0cd23cb9de80bafee751b443558c84f6b31633c97a2983d89adc185a240431a0
Instruction ID: ce3bf49ae009b0ed66929dfa9d49e8edffe2867010b3a33919931d782432e2ed
Opcode Fuzzy Hash: 0cd23cb9de80bafee751b443558c84f6b31633c97a2983d89adc185a240431a0
Instruction Fuzzy Hash: DB61BF70608321AFD710DF64E849B5ABBE8EF59718F040909F9859B291D774EE48CBB2

Function 00CA5BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CA5C7A

Part of subcall function 00CA5D0A: GetClientRect.USER32(?,?), ref: 00CA5D30
Part of subcall function 00CA5D0A: GetWindowRect.USER32(?,?), ref: 00CA5D71
Part of subcall function 00CA5D0A: ScreenToClient.USER32(?,?), ref: 00CA5D99

GetDC.USER32 ref: 00CE46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CE4708
SelectObject.GDI32(00000000,00000000), ref: 00CE4716
SelectObject.GDI32(00000000,00000000), ref: 00CE472B
ReleaseDC.USER32(?,00000000), ref: 00CE4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CE47C4

Strings

@U=u, xrefs: 00CE4708
U, xrefs: 00CE4693

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: a4f053b2ac8b27f2286fd5a47e13b09c2c060399c35c373d4a38fd7bbe0aa577
Instruction ID: 06076ad739e324b03aa861ed1650f96a8999acaf462a2a59356371d4b29e1c11
Opcode Fuzzy Hash: a4f053b2ac8b27f2286fd5a47e13b09c2c060399c35c373d4a38fd7bbe0aa577
Instruction Fuzzy Hash: 50710634400345DFCF298F65C984ABA7BB5FF4A364F144269FD659A2AAC3308D41DFA0

Function 00D38B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

Part of subcall function 00CB912D: GetCursorPos.USER32(?), ref: 00CB9141
Part of subcall function 00CB912D: ScreenToClient.USER32(00000000,?), ref: 00CB915E
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000001), ref: 00CB9183
Part of subcall function 00CB912D: GetAsyncKeyState.USER32(00000002), ref: 00CB919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00D38B6B
ImageList_EndDrag.COMCTL32 ref: 00D38B71
ReleaseCapture.USER32 ref: 00D38B77
SetWindowTextW.USER32(?,00000000), ref: 00D38C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D38C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00D38CFF

Strings

@GUI_DRAGFILE, xrefs: 00D38C9A
@U=u, xrefs: 00D38C25
@GUI_DROPID, xrefs: 00D38C51

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 579944b0c49d88682fb4f448c1d5c2daac5da2008fe14d9b893d4bcbe2640d0d
Instruction ID: 7526c5561be6701ba8a1a797344fb37bc4aec0ad3c12979953aaa98792b1c508
Opcode Fuzzy Hash: 579944b0c49d88682fb4f448c1d5c2daac5da2008fe14d9b893d4bcbe2640d0d
Instruction Fuzzy Hash: 38517875204304AFD704DF24CC96FAA77E4FB88714F040629FA96A72A1DB70A944DBB2

Function 00D13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D133CF

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D133F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00D13522
Line %d (File "%s"):, xrefs: 00D13443, 00D1345C
Error: , xrefs: 00D134D1
Incorrect parameters to object property !, xrefs: 00D134AB
^ ERROR , xrefs: 00D1349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00D13504

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 01f8062da511b00488f399fa3b1611c992196f985f9da6c2919c2a05ab77151c
Instruction ID: f8da424bfac55d2d3d75a471ed80c33cdf421261dde8d46e98d90ad4595b222e
Opcode Fuzzy Hash: 01f8062da511b00488f399fa3b1611c992196f985f9da6c2919c2a05ab77151c
Instruction Fuzzy Hash: E9518A7190020AABDF14EBA0DD56EEEB779EF05344F144165B409B21A2EF316F98EB70

Function 00D0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D0B5FC
_wcslen.LIBCMT ref: 00D0B608
_wcslen.LIBCMT ref: 00D0B64D
_wcslen.LIBCMT ref: 00D0B68C
_wcslen.LIBCMT ref: 00D0B6C7

Strings

KEYS, xrefs: 00D0B647, 00D0B64C
APPEND, xrefs: 00D0B6C1, 00D0B6C6
REMOVE, xrefs: 00D0B602, 00D0B607
EXISTS, xrefs: 00D0B686, 00D0B68B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 15f1c13ff0d1baf1a5227618448814ddfab02961aefda155df419e4007b0501f
Instruction ID: c05827b3bb8bdddf876c6fb1e7d8b8184676a9213727315126b74d763fa8397a
Opcode Fuzzy Hash: 15f1c13ff0d1baf1a5227618448814ddfab02961aefda155df419e4007b0501f
Instruction Fuzzy Hash: 8841A932A041279BCB105F7DC8906BE77A5ABA1774B68412BE469DF2C4E732CD81C7B0

Function 00D15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D15416
GetLastError.KERNEL32 ref: 00D15420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D154A7

Strings

READY, xrefs: 00D15460, 00D15468
INVALID, xrefs: 00D15459
READONLY, xrefs: 00D15452
UNKNOWN, xrefs: 00D15444
NOTREADY, xrefs: 00D1544B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 68a1f5d57d8e0557460eb0f9f216096b02801937d55b1263eb8cf2318db64255
Instruction ID: e79221216e1171f0da7175795484c21bd4d2c91bd9110efa5182e1f94404c6cd
Opcode Fuzzy Hash: 68a1f5d57d8e0557460eb0f9f216096b02801937d55b1263eb8cf2318db64255
Instruction Fuzzy Hash: 5F318F35A00605EFC710DF68E484AEABBB4EB85309F188065E406DB396DB75DDC6CBB0

Function 00D33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D33C79
SetMenu.USER32(?,00000000), ref: 00D33C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D33D10
IsMenu.USER32(?), ref: 00D33D24
CreatePopupMenu.USER32 ref: 00D33D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D33D5B
DrawMenuBar.USER32 ref: 00D33D63

Strings

F, xrefs: 00D33D4E
0, xrefs: 00D33C54

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: cbb2be3d48b38b39274038241e0ed72eac28c9f85b7a01ace4a0c1728c276703
Instruction ID: 882e5b97f4070250a48093f47d222bde6bf1cd192cffb8cec7373f5742bf7880
Opcode Fuzzy Hash: cbb2be3d48b38b39274038241e0ed72eac28c9f85b7a01ace4a0c1728c276703
Instruction Fuzzy Hash: FD413979A01309AFDB14CF64E944AAA7BB5FF49350F180029F956E7360D770AA11CFA4

Function 00D32D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D32D1B
GetDC.USER32(00000000), ref: 00D32D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D32D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D32D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D32D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D32D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D32DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D32DE1

Strings

@U=u, xrefs: 00D32D87, 00D32DE1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 6598331dbc36185a4a0ac4279affd76f95968d8a302c3a20657e1dfa65e5d691
Instruction ID: abcc1b484913d2b6f1a7384ac143e4ae77820973843b0b775c66fef91755ba6e
Opcode Fuzzy Hash: 6598331dbc36185a4a0ac4279affd76f95968d8a302c3a20657e1dfa65e5d691
Instruction Fuzzy Hash: DD316B72211614BBEB218F50DC8AFFB3BA9EB09755F084055FE08EA2A1D6759C50CBB4

Function 00D0209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D0214D

Strings

@U=u, xrefs: 00D0214D
smallicons, xrefs: 00D02115
list, xrefs: 00D0212F
largeicons, xrefs: 00D020E1
SHELLDLL_DefView, xrefs: 00D020CC
details, xrefs: 00D020FB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: 8cd644abc4e74c4ac351689e69171387f15ce6e3ca9b881555f15c5f822757a4
Instruction ID: 148db872b8e915e3339cd509ec82c102d55e30c959672e2b0a069e9a09c954b0
Opcode Fuzzy Hash: 8cd644abc4e74c4ac351689e69171387f15ce6e3ca9b881555f15c5f822757a4
Instruction Fuzzy Hash: CB113676288306BAFA192224EC0BFB6739CCB05324F20001AFB4CA50E5EA61A8466635

Function 00D33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D33A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D33AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D33AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D33AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D33B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D33BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D33BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D33BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D33BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D33C13

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: fd47e767b536d9d5aae88730d273a5bbb00b5a1110a65231c99f5a0c4a5d5af0
Instruction ID: b9c29cd0babe19cf4d3f005780acd3dda98580b0e95029bf2081cad9526d9ca3
Opcode Fuzzy Hash: fd47e767b536d9d5aae88730d273a5bbb00b5a1110a65231c99f5a0c4a5d5af0
Instruction Fuzzy Hash: 82615A75900248AFDB10DFA8CD81EEE77B8EB09700F144199FA15E73A1D774AE85DB60

Function 00D0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D0B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B165
GetWindowThreadProcessId.USER32(00000000), ref: 00D0B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D0A1E1,?,00000001), ref: 00D0B21D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 97795198cd34de458a1a2b3ce42cd0a84917d900b3a283fafcfecab49b611149
Instruction ID: 71f981aa0faba7f0d5a4ab237ae57da3202c48dacb0b696662d3409c15299774
Opcode Fuzzy Hash: 97795198cd34de458a1a2b3ce42cd0a84917d900b3a283fafcfecab49b611149
Instruction Fuzzy Hash: FD319C71614304BFDB109F24DC49B6D7BA9BB61321F145416FA09E73E0E7B49A808F79

Function 00CD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD2C94

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CD2CA0
_free.LIBCMT ref: 00CD2CAB
_free.LIBCMT ref: 00CD2CB6
_free.LIBCMT ref: 00CD2CC1
_free.LIBCMT ref: 00CD2CCC
_free.LIBCMT ref: 00CD2CD7
_free.LIBCMT ref: 00CD2CE2
_free.LIBCMT ref: 00CD2CED
_free.LIBCMT ref: 00CD2CFB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dcf52a5746fe457c68cec829c53de3cad386514a828de01cffe4630c756aa279
Instruction ID: a7dd70824550489c368a2d13fa02ebb941302ace938b5c2744ec2bea9412f21f
Opcode Fuzzy Hash: dcf52a5746fe457c68cec829c53de3cad386514a828de01cffe4630c756aa279
Instruction Fuzzy Hash: 26119376100108BFCB02EF54D892CDD3BA5FF15350F4144A6FA489B322DA31EE50BB90

Function 00CA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CA1459
OleUninitialize.OLE32(?,00000000), ref: 00CA14F8
UnregisterHotKey.USER32(?), ref: 00CA16DD
DestroyWindow.USER32(?), ref: 00CE24B9
FreeLibrary.KERNEL32(?), ref: 00CE251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CE254B

Strings

close all, xrefs: 00CA1454

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 95a2e6d13392de0ef27148084f046ac659a71a8f44d6402ed518d7a621c43ef7
Instruction ID: 9dc60aca8246a7c830ded049da99e5b2c8517db9bccabc5791043959cca6ceae
Opcode Fuzzy Hash: 95a2e6d13392de0ef27148084f046ac659a71a8f44d6402ed518d7a621c43ef7
Instruction Fuzzy Hash: 34D15F31702252CFCB19EF16C995B69F7A4BF06704F1942ADE84AAB251DB30ED12DF60

Function 00D1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D135E4

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

LoadStringW.USER32(00D72390,?,00000FFF,?), ref: 00D1360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00D13742
^ ERROR, xrefs: 00D136C9
Line %d (File "%s"):, xrefs: 00D1366B
Error: , xrefs: 00D136EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00D13724

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f1d55faf13814f727a3bd6f85cacd427fb93a72332ff98b492be6f84e23a92fc
Instruction ID: aaa7347da913501f59e72958ca470936c50989a7917d128759c450cebab9dd5b
Opcode Fuzzy Hash: f1d55faf13814f727a3bd6f85cacd427fb93a72332ff98b492be6f84e23a92fc
Instruction Fuzzy Hash: C7516C7190021ABBDF15EBA0DC52EEEBB38EF05344F144125F105721A2EB306A99EBB0

Function 00D33886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D33925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D3393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D33954
_wcslen.LIBCMT ref: 00D33999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D339F4

Strings

@U=u, xrefs: 00D33925, 00D3393A
SysListView32, xrefs: 00D338F7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: bd0f9eaf6ffc9e87797e824b115b7f40718327840f5da3ede7beb5f5fb4d1905
Instruction ID: 4b97dfdb7b6d28cdc3dce10fb7f40028d0d2c5c25cca24106e89eb2fb667b5d4
Opcode Fuzzy Hash: bd0f9eaf6ffc9e87797e824b115b7f40718327840f5da3ede7beb5f5fb4d1905
Instruction Fuzzy Hash: C741A271A00319ABEB219F64CC45FEA77A9FF08354F140526F958E7291D7B1D984CBB0

Function 00D32DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D32E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00D32E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D32E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D32EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D32EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00D32EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D32F0B

Strings

@U=u, xrefs: 00D32E1C, 00D32EB6, 00D32EE0

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 5432cf751552a2084b7b05e60723376bcae83ed7bfe52ffc73ac21a54dfc7f7a
Instruction ID: 1e9336710399018c01d1f5894496ecccf337bedb4a72c34923cf345dc9eba91a
Opcode Fuzzy Hash: 5432cf751552a2084b7b05e60723376bcae83ed7bfe52ffc73ac21a54dfc7f7a
Instruction Fuzzy Hash: AB310435A04250AFDB21CF58DC86F6537E1FB8AB10F191164FA14EF2B1CB71A881DB61

Function 00D1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D1C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D1C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D1C2CA
GetLastError.KERNEL32 ref: 00D1C322
SetEvent.KERNEL32(?), ref: 00D1C336
InternetCloseHandle.WININET(00000000), ref: 00D1C341

Strings

, xrefs: 00D1C2BB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8df770c33595cc4f712f749451066d71de6e84f7f4d7075466b7faa1fe612a41
Instruction ID: 85b8de02a8be8b3d845b9fefcfe4caa5b8d69fd6b31e72912b173536b2ae2f66
Opcode Fuzzy Hash: 8df770c33595cc4f712f749451066d71de6e84f7f4d7075466b7faa1fe612a41
Instruction Fuzzy Hash: AB3191B1550304BFD7219F65AC88AAB7BFCEB49740B14A51DF496D2210DF30DD849B70

Function 00D0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CE3AAF,?,?,Bad directive syntax error,00D3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D098BC
LoadStringW.USER32(00000000,?,00CE3AAF,?), ref: 00D098C3

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D09987

Strings

Line %d:, xrefs: 00D09912
Line %d (File "%s"):, xrefs: 00D0992D
Error: , xrefs: 00D09955
., xrefs: 00D0996D
%s (%d) : ==> %s.: %s %s, xrefs: 00D098F1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 411bde83c87c7db9451c05fe1643550dfc1ca78909ea0accb6d7a33c11dfb8f8
Instruction ID: 66a45f3c581181a7afc0bc65a7c60b66b1bdd88c4cfb4fc3cb1273781fd9093f
Opcode Fuzzy Hash: 411bde83c87c7db9451c05fe1643550dfc1ca78909ea0accb6d7a33c11dfb8f8
Instruction Fuzzy Hash: 5D219132D4421AAFCF11EF90CC16EEE7735FF19304F045419F519620A2EB71A618EB60

Function 00CDCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CDCEB7
_free.LIBCMT ref: 00CDCF22
_free.LIBCMT ref: 00CDCF48
_free.LIBCMT ref: 00CDCF71
_free.LIBCMT ref: 00CDCFA9
_free.LIBCMT ref: 00CDCFDA
_free.LIBCMT ref: 00CDD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CDD09C
_free.LIBCMT ref: 00CDD0B5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 796c2ca01cfb0ab6c014a8eb6517441a4f14b751c77c9ced7f14605a0d57a4f3
Instruction ID: 800fb2c067364976142690cd421b6c0280863bf80164b2354187e09d624f471f
Opcode Fuzzy Hash: 796c2ca01cfb0ab6c014a8eb6517441a4f14b751c77c9ced7f14605a0d57a4f3
Instruction Fuzzy Hash: 6D610671904312AFDB21AFF4D8C5AAA7BA5AF05320F04416FFB55D7382E6319A41E760

Function 00D1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D1C182
GetLastError.KERNEL32 ref: 00D1C195
SetEvent.KERNEL32(?), ref: 00D1C1A9

Part of subcall function 00D1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D1C272
Part of subcall function 00D1C253: GetLastError.KERNEL32 ref: 00D1C322
Part of subcall function 00D1C253: SetEvent.KERNEL32(?), ref: 00D1C336
Part of subcall function 00D1C253: InternetCloseHandle.WININET(00000000), ref: 00D1C341

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a51343d21edee0d9e8241ba41b3cf785b1e3f836aa3406af9a4310086e55a3b2
Instruction ID: 7d5d99584183a2f707639089785c343bbf2406602882b5c94da22087faad74f5
Opcode Fuzzy Hash: a51343d21edee0d9e8241ba41b3cf785b1e3f836aa3406af9a4310086e55a3b2
Instruction Fuzzy Hash: 7931AE712A1701BFDB219FA5EC04AABBBF8FF18300B04641DF996D6611DB30E8949B70

Function 00D025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D03A57
Part of subcall function 00D03A3D: GetCurrentThreadId.KERNEL32 ref: 00D03A5E
Part of subcall function 00D03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D025B3), ref: 00D03A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D02601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D02605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D0260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D02623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D02627

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: fedf4b115af0eefca71d6ce3c1ab1e9e725aba8a21df03d1e33186baa7a40726
Instruction ID: 7ea3df334ec29614039bc6419f3e2d03c033b0f27debc5c3f3b264f6d6804592
Opcode Fuzzy Hash: fedf4b115af0eefca71d6ce3c1ab1e9e725aba8a21df03d1e33186baa7a40726
Instruction Fuzzy Hash: 1C01B1313A0310BBFB1067699C8EF593E59DB5AB12F101001F358EE1E1C9E264449A79

Function 00D01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D01449,?,?,00000000), ref: 00D0180C
HeapAlloc.KERNEL32(00000000,?,00D01449,?,?,00000000), ref: 00D01813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D01449,?,?,00000000), ref: 00D01828
GetCurrentProcess.KERNEL32(?,00000000,?,00D01449,?,?,00000000), ref: 00D01830
DuplicateHandle.KERNEL32(00000000,?,00D01449,?,?,00000000), ref: 00D01833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D01449,?,?,00000000), ref: 00D01843
GetCurrentProcess.KERNEL32(00D01449,00000000,?,00D01449,?,?,00000000), ref: 00D0184B
DuplicateHandle.KERNEL32(00000000,?,00D01449,?,?,00000000), ref: 00D0184E
CreateThread.KERNEL32(00000000,00000000,00D01874,00000000,00000000,00000000), ref: 00D01868

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9dabeed0a30c5adbe5a6805c3a69b40e8d5ab9fa98c7470cabb658fa4e31e5a9
Instruction ID: 2780c21e59d3e840d37f6f4857b0e6aae269685854a3fa536563e113dc699e25
Opcode Fuzzy Hash: 9dabeed0a30c5adbe5a6805c3a69b40e8d5ab9fa98c7470cabb658fa4e31e5a9
Instruction Fuzzy Hash: 4F01BBB5250308BFE710ABA5DC4DF6B3BACEB89B11F009411FA05EB2A1CA70D810DB30

Function 00D2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D0D501
Part of subcall function 00D0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D0D50F
Part of subcall function 00D0D4DC: CloseHandle.KERNEL32(00000000), ref: 00D0D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D2A16D
GetLastError.KERNEL32 ref: 00D2A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D2A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D2A268
GetLastError.KERNEL32(00000000), ref: 00D2A273
CloseHandle.KERNEL32(00000000), ref: 00D2A2C4

Strings

SeDebugPrivilege, xrefs: 00D2A18F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bd43f9378056aabae38ce5f811021c5facbcfc4018c3a4a19ed0bbaeac219ec6
Instruction ID: 9c2da6944fdc9e05673dcac72182b05da6c4888ad2328cbbfa4f20c3aea017e3
Opcode Fuzzy Hash: bd43f9378056aabae38ce5f811021c5facbcfc4018c3a4a19ed0bbaeac219ec6
Instruction Fuzzy Hash: 9E617B302042529FD720DF18D894F15BBA1EF5531CF19849CE46A8B7A3C772EC45CBA6

Function 00D0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D0BCFD
IsMenu.USER32(00000000), ref: 00D0BD1D
CreatePopupMenu.USER32 ref: 00D0BD53
GetMenuItemCount.USER32(011658A8), ref: 00D0BDA4
InsertMenuItemW.USER32(011658A8,?,00000001,00000030), ref: 00D0BDCC

Strings

2, xrefs: 00D0BD37
0, xrefs: 00D0BCA8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 76e241556fbd9c52c0d69b61439a2786121ac165c07adc9d3703be3293910aa8
Instruction ID: 01302db1e09cce9f5bf6a124c4402e1b7c131a5f66cc317667e668675c6ec278
Opcode Fuzzy Hash: 76e241556fbd9c52c0d69b61439a2786121ac165c07adc9d3703be3293910aa8
Instruction Fuzzy Hash: 80518F70A08206DBDB10DFA9D884BAEFBF4EF45324F18425AE45AE72D1E7709941CB71

Function 00D381DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CFF3AB,00000000,?,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00D3824C
EnableWindow.USER32(00000000,00000000), ref: 00D38272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D382D1
ShowWindow.USER32(00000000,00000004), ref: 00D382E5
EnableWindow.USER32(00000000,00000001), ref: 00D3830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D3832F

Strings

@U=u, xrefs: 00D3832F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: ff304004494824cfc8796788594f8583ea073a04add3fe20b338e00038619c97
Instruction ID: a2295e4b097e3b518d5a8dd074473de6706daf65f8af990c985d572e69c08675
Opcode Fuzzy Hash: ff304004494824cfc8796788594f8583ea073a04add3fe20b338e00038619c97
Instruction Fuzzy Hash: F9418238601744AFDB11CF15CC99BA57BE0BB0A715F185269FA189B362CB31A841DF74

Function 00D04C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D04C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D04CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D04CEA
_wcslen.LIBCMT ref: 00D04D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D04D10
_wcsstr.LIBVCRUNTIME ref: 00D04D1A

Strings

@U=u, xrefs: 00D04CB2, 00D04CEA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: 9db07474b66e378798cf82fa3a799f3ea499a00c962ca144489b6f5da8723d1d
Instruction ID: 5995524bce0c381c5b3413c5682a2d18134a55fa23be86879e596bfceecec5bc
Opcode Fuzzy Hash: 9db07474b66e378798cf82fa3a799f3ea499a00c962ca144489b6f5da8723d1d
Instruction Fuzzy Hash: 6921D4B2204240BBEB259B39EC4AF7B7B9CDF45750F14802DF909DA2A1EA61DD0197B0

Function 00D0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D0C913

Strings

warning, xrefs: 00D0C8FC
stop, xrefs: 00D0C8E4
question, xrefs: 00D0C8CC
info, xrefs: 00D0C8B4
blank, xrefs: 00D0C895

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0507de4b54e2545bbb24235a4f5eacfd78ed76e0a986fef6d6cd6757dd9fcd9b
Instruction ID: 5d958c48a550466da9f7f812212bd862e74f9c9596fe14f783b1ab1ee32669fa
Opcode Fuzzy Hash: 0507de4b54e2545bbb24235a4f5eacfd78ed76e0a986fef6d6cd6757dd9fcd9b
Instruction Fuzzy Hash: 30113D31699306BFE7089B14EC83FAA379CDF15315B20512EF908A62C2D770DD006678

Function 00CF7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00CF7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CF7469
GetWindowDC.USER32(?), ref: 00CF7475
GetPixel.GDI32(00000000,?,?), ref: 00CF7484
ReleaseDC.USER32(?,00000000), ref: 00CF7496
GetSysColor.USER32(00000005), ref: 00CF74B0

Strings

@U=u, xrefs: 00CF7469

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: 3ac0e1bc85ffa09283a60b023ac6e26c9dadf150b848529214d535bd645644c9
Instruction ID: 9bd3520be954a6e5d1fa44c0ab259cb43c9e29a462735e61a0b36879924a01d6
Opcode Fuzzy Hash: 3ac0e1bc85ffa09283a60b023ac6e26c9dadf150b848529214d535bd645644c9
Instruction Fuzzy Hash: 24012831410619EFEB515FA4DC09BAA7BB5FB04311F511164FA25E22B1CB311E51EF61

Function 00D0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D0ED2A
_wcslen.LIBCMT ref: 00D0ED3B
_wcslen.LIBCMT ref: 00D0ED79
_wcslen.LIBCMT ref: 00D0EDAF
_wcslen.LIBCMT ref: 00D0EDDF
_wcslen.LIBCMT ref: 00D0EDEF
_wcslen.LIBCMT ref: 00D0EE2B
_wcslen.LIBCMT ref: 00D0EE5A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b61169e058be06b896f2ec9ca0f14a630694cea23880a2088080e9a0713cf79a
Instruction ID: bf96c8f69aadfa4f9ecb62e1e4ef55a9ecdd8899cadcecf18c262d02e5a944cc
Opcode Fuzzy Hash: b61169e058be06b896f2ec9ca0f14a630694cea23880a2088080e9a0713cf79a
Instruction Fuzzy Hash: 9D418065C1021875CB11EBB4C88AFDFB7ACAF45710F50886AF518E3161FB34E655C3A5

Function 00CBF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00CBF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00CFF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CF682C,00000004,00000000,00000000), ref: 00CFF454

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 04de17bff5c0b72367b505fb9520c557831770e473f88d02bf1f075156c64cb9
Instruction ID: 314d6e328ac1a10e2f26a15b0179420cae324b294d53e2eca6b7496ed179a8f8
Opcode Fuzzy Hash: 04de17bff5c0b72367b505fb9520c557831770e473f88d02bf1f075156c64cb9
Instruction Fuzzy Hash: E8412A31A08744FAC7798B2D8C887BA7B91EF56310F14453CE1A792770D631AA83DB21

Function 00D05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D05637
_memcmp.LIBVCRUNTIME ref: 00D05659
_memcmp.LIBVCRUNTIME ref: 00D05671
_memcmp.LIBVCRUNTIME ref: 00D05684
_memcmp.LIBVCRUNTIME ref: 00D0569E
_memcmp.LIBVCRUNTIME ref: 00D056B1
_memcmp.LIBVCRUNTIME ref: 00D056C9
_memcmp.LIBVCRUNTIME ref: 00D056E4

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c391786bedb5dee59a38ff56f618c136ff2af865908de530d546fc030b73bfbe
Instruction ID: cfcc35b43fc1aa386b25ff1c0cb93b7e49d3ab0a9728132156c0f669e13b5cc2
Opcode Fuzzy Hash: c391786bedb5dee59a38ff56f618c136ff2af865908de530d546fc030b73bfbe
Instruction Fuzzy Hash: 1A21AA61A40A09BBD3145611EE82FBB335CAF62384F8C0024FD0D5A5C6F762ED149DB5

Function 00D24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00D25007
NULL Pointer assignment, xrefs: 00D2502E, 00D25383

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 13ee29caa26bf583d84c5b0ffa5d1f5bb0c61a1a409a558de67c23692b900b8d
Instruction ID: 2ab83370184216f314af79970a30e57e1a8a019d687641559ec4286910d05abe
Opcode Fuzzy Hash: 13ee29caa26bf583d84c5b0ffa5d1f5bb0c61a1a409a558de67c23692b900b8d
Instruction Fuzzy Hash: 21D1A171A0061A9FDF10CF98E880FAEB7B5BF58348F188069E915AB285D771DD45CBB0

Function 00CE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00CE15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00CE17FB,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE16FB

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00CE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00CE1777
__freea.LIBCMT ref: 00CE17A2
__freea.LIBCMT ref: 00CE17AE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f9a8f598a9f23ccf5bfa512142b6503206cdbf9afaf3a7f0b25f9522836bda67
Instruction ID: 8c6d5db0a73fc4aa5fdd8828b8f6b7841e577139c1dcca7652a763628243a97a
Opcode Fuzzy Hash: f9a8f598a9f23ccf5bfa512142b6503206cdbf9afaf3a7f0b25f9522836bda67
Instruction Fuzzy Hash: A191D271E012869ADB208F66C881EEE7BB5EF49710F1C4619ED22E7281D735CE50CB60

Function 00D24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D24648
VariantInit.OLEAUT32(?), ref: 00D24749
VariantClear.OLEAUT32(?), ref: 00D24753
VariantClear.OLEAUT32(?), ref: 00D247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D2472C
Null Object assignment in FOR..IN loop, xrefs: 00D245D8, 00D24706, 00D247BE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a9a9d82901200156e352c64ac61570333f79625257ac517803884f314b831b7e
Instruction ID: 48c5913aee36807a6d05350667f2031861cb7387defcf972d930e6cd792bbd8a
Opcode Fuzzy Hash: a9a9d82901200156e352c64ac61570333f79625257ac517803884f314b831b7e
Instruction Fuzzy Hash: 5591A070A00229AFDF20CFA4D844FAEBBB8EF56719F148559F915AB280D7709945CFB0

Function 00D11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D1125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D11284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D1135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D11430

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7743ad1db1472af5220d72d91c753fa61dd34e8ceb32987256dbbc4c53c58d4e
Instruction ID: 61cc3b178c975b0f1810828601df5a856890269b04a6192790783160ef963cb8
Opcode Fuzzy Hash: 7743ad1db1472af5220d72d91c753fa61dd34e8ceb32987256dbbc4c53c58d4e
Instruction Fuzzy Hash: 4291F079A00219BFDB009FA4E885BFEB7B5FF05714F144029E640E7291DB74A981CBB0

Function 00CB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8dadd11c20a4ff29a370f5af6ae571ed9135864eba95b60fec25091015fb7580
Instruction ID: 904c110b82150353174f1792ce5faee77509894d97338d6b23cb66fc84ded0ca
Opcode Fuzzy Hash: 8dadd11c20a4ff29a370f5af6ae571ed9135864eba95b60fec25091015fb7580
Instruction Fuzzy Hash: 39913771D40219EFCB14CFA9CC84AEEBBB8FF49320F148159E615B7251D374AA46DB60

Function 00D23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D2396B
CharUpperBuffW.USER32(?,?), ref: 00D23A7A
_wcslen.LIBCMT ref: 00D23A8A
VariantClear.OLEAUT32(?), ref: 00D23C1F

Part of subcall function 00D10CDF: VariantInit.OLEAUT32(00000000), ref: 00D10D1F
Part of subcall function 00D10CDF: VariantCopy.OLEAUT32(?,?), ref: 00D10D28
Part of subcall function 00D10CDF: VariantClear.OLEAUT32(?), ref: 00D10D34

Strings

Incorrect Parameter format, xrefs: 00D239A6, 00D23BA1
AUTOIT.ERROR, xrefs: 00D23A80, 00D23A85

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 735a23a94bef11261da7c92a5cd07054f945d100c18983f26fefad42a9159754
Instruction ID: 7bb8024616c986dcb852f21f43081eb89cc81a12169ca818caad686a0a5d6e89
Opcode Fuzzy Hash: 735a23a94bef11261da7c92a5cd07054f945d100c18983f26fefad42a9159754
Instruction Fuzzy Hash: FC919A746083119FC704EF28D48196AB7E4FF99318F04882DF88A97351DB35EE45CBA2

Function 00D24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?,?,00D0035E), ref: 00D0002B
Part of subcall function 00D0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00046
Part of subcall function 00D0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00054
Part of subcall function 00D0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?), ref: 00D00064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D24C51
_wcslen.LIBCMT ref: 00D24D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D24DCF
CoTaskMemFree.OLE32(?), ref: 00D24DDA

Strings

NULL Pointer assignment, xrefs: 00D24E23, 00D24E52

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a6df0f83b0bebfe360ffad3b1c5fa818f1821d3f090472101f778b28848b4bca
Instruction ID: 3542865704b91dba9d48dcf55a7bf10d24fef9fd4ee54b5707a167e326ba837a
Opcode Fuzzy Hash: a6df0f83b0bebfe360ffad3b1c5fa818f1821d3f090472101f778b28848b4bca
Instruction Fuzzy Hash: EF912871D0022DAFDF14DFA4D891AEEB7B8FF08314F108169E915A7291DB349A44DFA0

Function 00D320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D32183
GetMenuItemCount.USER32(00000000), ref: 00D321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D321DD
_wcslen.LIBCMT ref: 00D32213
GetMenuItemID.USER32(?,?), ref: 00D3224D
GetSubMenu.USER32(?,?), ref: 00D3225B

Part of subcall function 00D03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D03A57
Part of subcall function 00D03A3D: GetCurrentThreadId.KERNEL32 ref: 00D03A5E
Part of subcall function 00D03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D025B3), ref: 00D03A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D322E3

Part of subcall function 00D0E97B: Sleep.KERNEL32 ref: 00D0E9F3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 7c7e041496a01a78805bc04b6c3fb9c666da365059b499ac3e3bd1f27d14a4bf
Instruction ID: cf9e971bafb4afff66f547f29ffc03aa59f328a27ab431005d9e7a43a968fca4
Opcode Fuzzy Hash: 7c7e041496a01a78805bc04b6c3fb9c666da365059b499ac3e3bd1f27d14a4bf
Instruction Fuzzy Hash: D0716B75E00215AFCB10EFA8C885ABEB7F5EF49310F148459E956EB351DB34EE418BA0

Function 00D0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D0AEF9
GetKeyboardState.USER32(?), ref: 00D0AF0E
SetKeyboardState.USER32(?), ref: 00D0AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D0AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D0AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D0AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D0B020

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bdc618cb58f02074e8073e467dbff0008dd19a18ace8cfae489748e4788e55b7
Instruction ID: 051611c333597ae963ab022007a36d9c9ac6f7e57ba3c48dccc6ee7a036ddaab
Opcode Fuzzy Hash: bdc618cb58f02074e8073e467dbff0008dd19a18ace8cfae489748e4788e55b7
Instruction Fuzzy Hash: D651A0A06187D63DFB3683388845BBABEA95F06314F0C858AF1DD954D2C3D8AC84D771

Function 00D0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D0AD19
GetKeyboardState.USER32(?), ref: 00D0AD2E
SetKeyboardState.USER32(?), ref: 00D0AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D0ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D0ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D0AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D0AE38

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a86f6748f2e2b17c6f4b6343e5b1d693fcb497dd3c725ce4b5b1f5d54b8975c4
Instruction ID: b40375748215d7c4dd52297180cfe8af5abe3abc266ceb1454aa06f7d8342fa5
Opcode Fuzzy Hash: a86f6748f2e2b17c6f4b6343e5b1d693fcb497dd3c725ce4b5b1f5d54b8975c4
Instruction Fuzzy Hash: 6F51B4A16187D53DFB368338CC55BBABEA99B46300F0C8589F1DD568C2D294EC88D772

Function 00CD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CE3CD6,?,?,?,?,?,?,?,?,00CD5BA3,?,?,00CE3CD6,?,?), ref: 00CD5470
__fassign.LIBCMT ref: 00CD54EB
__fassign.LIBCMT ref: 00CD5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CE3CD6,00000005,00000000,00000000), ref: 00CD552C
WriteFile.KERNEL32(?,00CE3CD6,00000000,00CD5BA3,00000000,?,?,?,?,?,?,?,?,?,00CD5BA3,?), ref: 00CD554B
WriteFile.KERNEL32(?,?,00000001,00CD5BA3,00000000,?,?,?,?,?,?,?,?,?,00CD5BA3,?), ref: 00CD5584

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d55fcc0baf4ba5aef6af2e628c71d686b2d817d78b9a041f38f26f41f4ae17a6
Instruction ID: bf995f4741aea3841ab001b8f3f71ab1e190c23d3f6e0b8597f3a818ab954666
Opcode Fuzzy Hash: d55fcc0baf4ba5aef6af2e628c71d686b2d817d78b9a041f38f26f41f4ae17a6
Instruction Fuzzy Hash: EA519171A00749AFDB11CFA8E845AEEBBF9EF09300F14411BE655E7391E7309A41CB61

Function 00D36B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D36C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D36C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D36C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D1AB79,00000000,00000000), ref: 00D36C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D36CC7

Strings

@U=u, xrefs: 00D36C73

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 2a7465e6e28db5f54778f2015787dc2fdd14efac40cc266f0b4ba78f1dbe830c
Instruction ID: 4f9e81a9a51a62041db956ad65b480f31603c7d9619a59880927e565b69a7019
Opcode Fuzzy Hash: 2a7465e6e28db5f54778f2015787dc2fdd14efac40cc266f0b4ba78f1dbe830c
Instruction Fuzzy Hash: F641A135604204BFDB24CF28CC59FA9BFA5EB09350F189268F999E73A0C371ED41DA60

Function 00CC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CC2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00CC2D53
_ValidateLocalCookies.LIBCMT ref: 00CC2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00CC2E0C
_ValidateLocalCookies.LIBCMT ref: 00CC2E61

Strings

csm, xrefs: 00CC2DF6

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6196a7a2ddfd3c45995ad3f65d5edc9f12229921c7d2a9d585260e0f946be06e
Instruction ID: 79f66322ada9b429e1e9e7c0b4e3b5642e678aca27f2b583bbbf09d4ce53abd2
Opcode Fuzzy Hash: 6196a7a2ddfd3c45995ad3f65d5edc9f12229921c7d2a9d585260e0f946be06e
Instruction Fuzzy Hash: DA41C134E00249ABCF10DF68C845F9EBBB5BF44324F14815DE825AB392DB31AA05CBE0

Function 00D210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D2307A
Part of subcall function 00D2304E: _wcslen.LIBCMT ref: 00D2309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D21112
WSAGetLastError.WSOCK32 ref: 00D21121
WSAGetLastError.WSOCK32 ref: 00D211C9
closesocket.WSOCK32(00000000), ref: 00D211F9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e54b79319fa914af6f36cf4be49695bcd4a50b96375fb824c1303343fae41a51
Instruction ID: 7f2041e0c0c34e4fdc85a7525cd301b58e45f24c53967b18f6115ebafdf8c831
Opcode Fuzzy Hash: e54b79319fa914af6f36cf4be49695bcd4a50b96375fb824c1303343fae41a51
Instruction Fuzzy Hash: 2B410135600324AFDB119F24D884BAAB7A9EF61328F188018FD05AB281C770EE418BB1

Function 00D0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D0CF22,?), ref: 00D0DDFD

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D0CF22,?), ref: 00D0DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D0CF45
MoveFileW.KERNEL32(?,?), ref: 00D0CF7F
_wcslen.LIBCMT ref: 00D0D005
_wcslen.LIBCMT ref: 00D0D01B
SHFileOperationW.SHELL32(?), ref: 00D0D061

Strings

\*.*, xrefs: 00D0CFF3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 00773062b92fa80ebb53b86c7a9554a405a0c6bc9d95a62d59b622bd89b6fc27
Instruction ID: 3292391fafd17dbc7ae04cbba0e397bb126177e415d07a0adbc62297748b3ed8
Opcode Fuzzy Hash: 00773062b92fa80ebb53b86c7a9554a405a0c6bc9d95a62d59b622bd89b6fc27
Instruction Fuzzy Hash: CF4158719452195FDF12EFA4D981FDE77B9EF48380F0410E6E509E7181EA34A648CB71

Function 00D07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D07769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D0778F
SysAllocString.OLEAUT32(00000000), ref: 00D07792
SysAllocString.OLEAUT32(?), ref: 00D077B0
SysFreeString.OLEAUT32(?), ref: 00D077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D077DE
SysAllocString.OLEAUT32(?), ref: 00D077EC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a36f70d3103565d11fcd50478f28e469c0c8541e7ebc5d95cf44d47a8432d92b
Instruction ID: 466131958b490df25031afe4abf74cb6d13b60df3dc570a7005340fba6590e71
Opcode Fuzzy Hash: a36f70d3103565d11fcd50478f28e469c0c8541e7ebc5d95cf44d47a8432d92b
Instruction Fuzzy Hash: 4421A776A04219AFDF10DFA8CC84DBB77ACEB497A4B048025F919DF291D670ED418770

Function 00D077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D07842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D07868
SysAllocString.OLEAUT32(00000000), ref: 00D0786B
SysAllocString.OLEAUT32 ref: 00D0788C
SysFreeString.OLEAUT32 ref: 00D07895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D078AF
SysAllocString.OLEAUT32(?), ref: 00D078BD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dd33eed57aa29f67c4e62dfc48035d4821acb21dd6ddaaa4abe9068878e71ada
Instruction ID: a5e75e1e281dfd405b86a10f1ea4630fc7b7a3ed3c7b6a209efa6a0a021f51e0
Opcode Fuzzy Hash: dd33eed57aa29f67c4e62dfc48035d4821acb21dd6ddaaa4abe9068878e71ada
Instruction Fuzzy Hash: 3E213036A08204AFDB109FA8DC89EAA77ACEB097607148125F919DB2A1D674FC41DB74

Function 00D35706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D35745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D3579D
_wcslen.LIBCMT ref: 00D357AF
_wcslen.LIBCMT ref: 00D357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D35816

Strings

@U=u, xrefs: 00D35745, 00D3579D, 00D35816

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: e3239d4b75e1f22b9cdd51a82afd326a8b77c5c6ac18ce18732d3ec85df82a6a
Instruction ID: a5ce9f790be53cc4f6e307e72f64b673095f3129dd2491c40e01cc532b253cba
Opcode Fuzzy Hash: e3239d4b75e1f22b9cdd51a82afd326a8b77c5c6ac18ce18732d3ec85df82a6a
Instruction Fuzzy Hash: DC21A571904618DADB208F64EC85AED77B8FF05320F148216E919EA284D770C985CF70

Function 00D104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D1052E

Strings

nul, xrefs: 00D10567

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e9ba8831fe9ecf8e37f418d8dd1a7147feb0c4c07e1a3ecdc0b077307de23220
Instruction ID: dabab033b33445448af623a5334049e5c00e3aa7e4d6ebc5366f8641a157ff25
Opcode Fuzzy Hash: e9ba8831fe9ecf8e37f418d8dd1a7147feb0c4c07e1a3ecdc0b077307de23220
Instruction Fuzzy Hash: 1B212375500305ABEB206F69E844A9A7BB5AF44764F244A19E8A1E62D0DBB0D9D0CF30

Function 00D105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D10601

Strings

nul, xrefs: 00D10639

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f49e243773d8aaba0158590c0264c7fa92d0647c31e29f996bca43a4df9e12a8
Instruction ID: 33bb9c96eb89b27a11dd46ed21bd7bfb1e57b9c8f72a952a5d6b1088a560390c
Opcode Fuzzy Hash: f49e243773d8aaba0158590c0264c7fa92d0647c31e29f996bca43a4df9e12a8
Instruction Fuzzy Hash: 64215B75500305ABDB106F69AC44ADA7BE4AF95720F244A19F8A1E72D0DBF099E0CB70

Function 00D340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA604C
Part of subcall function 00CA600E: GetStockObject.GDI32(00000011), ref: 00CA6060
Part of subcall function 00CA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D34112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D3411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D3412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D34139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D34145

Strings

Msctls_Progress32, xrefs: 00D340E3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dc715b382e91c7498b8458d673ddd32566c8196221610b3b8866c6b1d330f496
Instruction ID: 142e41f99ed52c0202fa9f44c7071c8ccb92468699675489657956a18b6ad284
Opcode Fuzzy Hash: dc715b382e91c7498b8458d673ddd32566c8196221610b3b8866c6b1d330f496
Instruction Fuzzy Hash: 391190B215021ABEEF118E64CC86EE77F5DEF08798F014111FA18A2150CA769C619BB4

Function 00CDD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CDD7A3: _free.LIBCMT ref: 00CDD7CC

_free.LIBCMT ref: 00CDD82D

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDD838
_free.LIBCMT ref: 00CDD843
_free.LIBCMT ref: 00CDD897
_free.LIBCMT ref: 00CDD8A2
_free.LIBCMT ref: 00CDD8AD
_free.LIBCMT ref: 00CDD8B8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9c8f76f65d9a0d3ad1aa7e4f36195f1cf5df6eb1ebf95f62db33ad2f5850a3e5
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 4B115E71940B04AAD621BFB0CC87FCB7BDCAF10700F4108A6B39EE6292DA65B505B660

Function 00D0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D0DA74
LoadStringW.USER32(00000000), ref: 00D0DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D0DA91
LoadStringW.USER32(00000000), ref: 00D0DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D0DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D0DAB9

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 849725f934f51805183a6606367678b65249e95522c8809794ac03c1839d45db
Instruction ID: 1818614a406e4f1595f7cd42037dca6f9c4a6f39f0af186d5d95f7df3a1f0eee
Opcode Fuzzy Hash: 849725f934f51805183a6606367678b65249e95522c8809794ac03c1839d45db
Instruction Fuzzy Hash: 890162F29103087FE7109BA09D89EE7726CE708301F401496B746F2181EA749E848F74

Function 00D1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0115AB68,0115AB68), ref: 00D1097B
EnterCriticalSection.KERNEL32(0115AB48,00000000), ref: 00D1098D
TerminateThread.KERNEL32(01158950,000001F6), ref: 00D1099B
WaitForSingleObject.KERNEL32(01158950,000003E8), ref: 00D109A9
CloseHandle.KERNEL32(01158950), ref: 00D109B8
InterlockedExchange.KERNEL32(0115AB68,000001F6), ref: 00D109C8
LeaveCriticalSection.KERNEL32(0115AB48), ref: 00D109CF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 02cac1ba8982a6de120674ef6f0d1a20738b6bf04effdb499c9a697ee6a935a6
Instruction ID: 0e7d518ff56801c3f7a2e9c12b45c3068cd2891d3f48251b3bd11bc49de482d1
Opcode Fuzzy Hash: 02cac1ba8982a6de120674ef6f0d1a20738b6bf04effdb499c9a697ee6a935a6
Instruction Fuzzy Hash: 2CF01D31552602BBD7415B94EE88AD67A25BF05702F442015F101A09A1CBB494B5CFA4

Function 00D21C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D21DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D21DE1
WSAGetLastError.WSOCK32 ref: 00D21DF2
htons.WSOCK32(?,?,?,?,?), ref: 00D21EDB
inet_ntoa.WSOCK32(?), ref: 00D21E8C

Part of subcall function 00D039E8: _strlen.LIBCMT ref: 00D039F2

Part of subcall function 00D23224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00D1EC0C), ref: 00D23240

_strlen.LIBCMT ref: 00D21F35

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 414f901a75a39b75d3b2e639e29b40af9134d699267772c2d741be65fd90f542
Instruction ID: d62c6a1635275b5fee8ba3d798847a8aeab2284633010e5edc1c7aa24c888f9a
Opcode Fuzzy Hash: 414f901a75a39b75d3b2e639e29b40af9134d699267772c2d741be65fd90f542
Instruction Fuzzy Hash: 19B1F135604311AFC324DF24D885E6A77E5AFA531CF58854CF4565B2E2CB31ED42CBA1

Function 00CD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CD00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD00D6
__allrem.LIBCMT ref: 00CD00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD010B
__allrem.LIBCMT ref: 00CD0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD0140

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 20148fe604c62e86bca5e8c82d160848b61030372067dde942d11f3a6b181f22
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 5581D372A00706ABE724AB6DCC42B6E73E9EF41364F25412FF661D7381E770EA419790

Function 00CD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CC82D9,00CC82D9,?,?,?,00CD644F,00000001,00000001,8BE85006), ref: 00CD6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CD644F,00000001,00000001,8BE85006,?,?,?), ref: 00CD62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CD63D8
__freea.LIBCMT ref: 00CD63E5

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

__freea.LIBCMT ref: 00CD63EE
__freea.LIBCMT ref: 00CD6413

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f14ea15bf5d1829040f72d7fc49aa2179e886de527b84c3c52c68d408e1e76d3
Instruction ID: eebf55673c44fc407f7fb25f3e1ce060ab239131f20eccb6cd7e6648c36c7b2a
Opcode Fuzzy Hash: f14ea15bf5d1829040f72d7fc49aa2179e886de527b84c3c52c68d408e1e76d3
Instruction Fuzzy Hash: 8D51F272600216ABDB258F64CC81EBF7BA9EF44710F15422AFF15D7291EB34DD40D660

Function 00D2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D2BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D2BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D2BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D2BDF3
RegCloseKey.ADVAPI32(?), ref: 00D2BDFF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d8688fd31d7929f1a27dc022b08f7ec9fd87c1e008e1458862f25824599e682f
Instruction ID: b63abb8a09ed082b8ded185169e8698e929ef433cb058fc10bb69a6b24eb8845
Opcode Fuzzy Hash: d8688fd31d7929f1a27dc022b08f7ec9fd87c1e008e1458862f25824599e682f
Instruction Fuzzy Hash: 2381B130108241AFC714DF24C885E6ABBE5FF8531CF14895DF4968B2A2CB71ED45DBA2

Function 00CFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00CFF7B9
SysAllocString.OLEAUT32(00000001), ref: 00CFF860
VariantCopy.OLEAUT32(00CFFA64,00000000), ref: 00CFF889
VariantClear.OLEAUT32(00CFFA64), ref: 00CFF8AD
VariantCopy.OLEAUT32(00CFFA64,00000000), ref: 00CFF8B1
VariantClear.OLEAUT32(?), ref: 00CFF8BB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 9f5eabfe764845fdda36c922396746dce5c816c228248119ae8b8fae88a3d051
Instruction ID: 1826281ead472c9c8c427c139d568064e4cba95c74e47a7b0c5f0f2e0b53805e
Opcode Fuzzy Hash: 9f5eabfe764845fdda36c922396746dce5c816c228248119ae8b8fae88a3d051
Instruction Fuzzy Hash: E3510731500318BBCF64AF65D895B39B3A4EF45310F20946EEA01DF292DBB08D42E767

Function 00D1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D194E5
_wcslen.LIBCMT ref: 00D19506
_wcslen.LIBCMT ref: 00D1952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D19585

Strings

X, xrefs: 00D19412

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a246f8fa4d2ab92ae75c80e0d5c0eec7e2e0557947e78632bc355f9ccf2d73d6
Instruction ID: b7cdeeaf50010c859db31902b72d9a470d6e88c0b2dc3ce40e948270ef60e132
Opcode Fuzzy Hash: a246f8fa4d2ab92ae75c80e0d5c0eec7e2e0557947e78632bc355f9ccf2d73d6
Instruction Fuzzy Hash: A8E1C2315083419FD714DF24D8A1AAAB7E5FF85314F08896CF8999B2A2DB30DD45CBA2

Function 00CB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

BeginPaint.USER32(?,?,?), ref: 00CB9241
GetWindowRect.USER32(?,?), ref: 00CB92A5
ScreenToClient.USER32(?,?), ref: 00CB92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CB92D3
EndPaint.USER32(?,?,?,?,?), ref: 00CB9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CF71EA

Part of subcall function 00CB9339: BeginPath.GDI32(00000000), ref: 00CB9357

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c688d54c957739f79b4d813fe666915a9abeca04e0561aabbe9b8792d84b92c6
Instruction ID: dc52275d7ca2977ae85af3eb07a3c1a4296b3aa8f9ca02028471a2e1a515d24a
Opcode Fuzzy Hash: c688d54c957739f79b4d813fe666915a9abeca04e0561aabbe9b8792d84b92c6
Instruction Fuzzy Hash: BF418E75104300AFD721DF29CC85FBA7BB8EB45320F144229FA69D72B2D7319945DB62

Function 00D107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D1080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D10847
EnterCriticalSection.KERNEL32(?), ref: 00D10863
LeaveCriticalSection.KERNEL32(?), ref: 00D108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D10921

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 782e01857b1c3dcbfb996035327ed6dfbe1a7562a5a3fe05a317113bed83516b
Instruction ID: d2103dd28191303bdb56847e7600b3f68f609d41326df0b6bf2fb64e8d0a5f16
Opcode Fuzzy Hash: 782e01857b1c3dcbfb996035327ed6dfbe1a7562a5a3fe05a317113bed83516b
Instruction Fuzzy Hash: CB414C71900205EBDF14AF64DC85AAA7BB9FF04310F1440A9ED04EA297DB70DEA5DBB4

Function 00D1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CA3A97,?,?,00CA2E7F,?,?,?,00000000), ref: 00CA3AC2

_wcslen.LIBCMT ref: 00D1587B
CoInitialize.OLE32(00000000), ref: 00D15995
CoCreateInstance.OLE32(00D3FCF8,00000000,00000001,00D3FB68,?), ref: 00D159AE
CoUninitialize.OLE32 ref: 00D159CC

Strings

.lnk, xrefs: 00D15876, 00D158C1, 00D15985

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 15254985c4c0f5866735a145ec6331acce191919a5b9e137788e7080f73f7a57
Instruction ID: 076d7c53523feeda9c2d3f293344d187d416ab1b93f8021b7603dec52f005cb8
Opcode Fuzzy Hash: 15254985c4c0f5866735a145ec6331acce191919a5b9e137788e7080f73f7a57
Instruction Fuzzy Hash: 1AD15370608701EFC704DF14E480A6ABBE1FF89714F148959F88A9B361DB35EC85CBA2

Function 00D0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D00FCA
Part of subcall function 00D00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D00FD6
Part of subcall function 00D00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D00FE5
Part of subcall function 00D00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D00FEC
Part of subcall function 00D00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D01002

GetLengthSid.ADVAPI32(?,00000000,00D01335), ref: 00D017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D017BA
HeapAlloc.KERNEL32(00000000), ref: 00D017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D017DA
GetProcessHeap.KERNEL32(00000000,00000000,00D01335), ref: 00D017EE
HeapFree.KERNEL32(00000000), ref: 00D017F5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a742ce3875973dea7758351765c9ca25ffa9c6ff28de0351bffdb39684190854
Instruction ID: 2a291171ac8d1fc9694d885c7ee68287bde9428875b6937df7560ee1425c6373
Opcode Fuzzy Hash: a742ce3875973dea7758351765c9ca25ffa9c6ff28de0351bffdb39684190854
Instruction Fuzzy Hash: 33119736610305EBDB149FA4CC49BAE7BA9FB96355F144018F489E7290C736A944DB70

Function 00D014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D01506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D01515
CloseHandle.KERNEL32(00000004), ref: 00D01520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D0154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D01563

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b12637f4755c6b2e32c6af51da7ab4220d3fea1eb1921abc1454fc15db9ab110
Instruction ID: dc01bbda9795ac6e22d40afdf5c45d451fe2dee73d10ea0af39174eccd50f352
Opcode Fuzzy Hash: b12637f4755c6b2e32c6af51da7ab4220d3fea1eb1921abc1454fc15db9ab110
Instruction Fuzzy Hash: A4112676500249ABDF118FA8DD49BDE7BA9FF48748F084029FA09A21A0C375CE64DB70

Function 00CC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CC3379,00CC2FE5), ref: 00CC3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CC339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC33B7
SetLastError.KERNEL32(00000000,?,00CC3379,00CC2FE5), ref: 00CC3409

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6663b7b0529ad61bbeca1c8dc2e19a88bbc3912442083f953586b576b00be311
Instruction ID: 774cd82d96fafb0d16c17ed50716a410c45269ff50fee2ca6633811507e8cbf8
Opcode Fuzzy Hash: 6663b7b0529ad61bbeca1c8dc2e19a88bbc3912442083f953586b576b00be311
Instruction Fuzzy Hash: 2301243261C3D1BEA7286774FC95F6A2A94EB0537A320822EF520C13F0EF554E0362A4

Function 00CD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CD5686,00CE3CD6,?,00000000,?,00CD5B6A,?,?,?,?,?,00CCE6D1,?,00D68A48), ref: 00CD2D78
_free.LIBCMT ref: 00CD2DAB
_free.LIBCMT ref: 00CD2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00CCE6D1,?,00D68A48,00000010,00CA4F4A,?,?,00000000,00CE3CD6), ref: 00CD2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00CCE6D1,?,00D68A48,00000010,00CA4F4A,?,?,00000000,00CE3CD6), ref: 00CD2DEC
_abort.LIBCMT ref: 00CD2DF2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e981df1a4c95a2e72e38a1b2853886ba10e79255c175a3a363c3b3b24a197a37
Instruction ID: 27e093bb8263a0abcdb923a3e6caebe7ad2d8df6bf28789e9330835e843e2e99
Opcode Fuzzy Hash: e981df1a4c95a2e72e38a1b2853886ba10e79255c175a3a363c3b3b24a197a37
Instruction Fuzzy Hash: 1BF0CD315047006BC2123735BC06E1B25576FE27A1F244417F774D23D2EF64C901B271

Function 00D38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB9693
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96A2
Part of subcall function 00CB9639: BeginPath.GDI32(?), ref: 00CB96B9
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D38A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D38A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D38A70
LineTo.GDI32(?,00000000,00000003), ref: 00D38A80
EndPath.GDI32(?), ref: 00D38A90
StrokePath.GDI32(?), ref: 00D38AA0

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1d6162eb7ff96e4c8ac81dafe0294b5d134d1f46df6c4e0ce4938cb77eabc1b5
Instruction ID: 793be9a8e735f3a1ba004a2a5f1b866b28535fcec2c5ebc7046dc4fc2fab55f2
Opcode Fuzzy Hash: 1d6162eb7ff96e4c8ac81dafe0294b5d134d1f46df6c4e0ce4938cb77eabc1b5
Instruction Fuzzy Hash: 5611CC7600024DFFDB119F94DC48E9A7F6DEB04394F048011FA19992A1D7719D55DF70

Function 00D051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D05218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D05229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D05230
ReleaseDC.USER32(00000000,00000000), ref: 00D05238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D0524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D05261

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 60c1ac9d04359ac702d24d741653848bd5f51a3ac7cbc63ebc831c7cf5da0f08
Instruction ID: 4d0d6ca3ef160f4285d45088554748c0c5bee8eaff8088e1ab50000fe24df0a9
Opcode Fuzzy Hash: 60c1ac9d04359ac702d24d741653848bd5f51a3ac7cbc63ebc831c7cf5da0f08
Instruction Fuzzy Hash: 6B014F75A01718BBEB109BB59C49B5EBFB8EF48751F044065FA04E7391D6709800CFA0

Function 00CA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CA1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CA1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CA1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CA1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CA1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CA1C22

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 509188e85aa1e674254545e1307ba7aa38d97b23f57ff0b9f8df1e9b2ad106b3
Instruction ID: c60a1872bd21924f459413a8547c5217f314be2134e2c22986853fb7c8f97dc6
Opcode Fuzzy Hash: 509188e85aa1e674254545e1307ba7aa38d97b23f57ff0b9f8df1e9b2ad106b3
Instruction Fuzzy Hash: A9016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00D0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D0EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D0EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D0EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D0EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D0EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D0EB75

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7b877070ca9ba3bf0df01f026811fe72217610dd405e608274eb7b5bdc0268d3
Instruction ID: 51502012c48213b98661105c10e7e267d72a3b65d8485b45517608d5b4fe4122
Opcode Fuzzy Hash: 7b877070ca9ba3bf0df01f026811fe72217610dd405e608274eb7b5bdc0268d3
Instruction Fuzzy Hash: D1F03A72250258BBE7215B629C0EEEF3A7CEFCAB11F005158F601E12A1D7A05A01D7B5

Function 00D01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D0187F
UnloadUserProfile.USERENV(?,?), ref: 00D0188B
CloseHandle.KERNEL32(?), ref: 00D01894
CloseHandle.KERNEL32(?), ref: 00D0189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D018A5
HeapFree.KERNEL32(00000000), ref: 00D018AC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ca9537a4e9af77d9ad471cef2e416d76d2ef22ecfb78e22a75f40258ee700e9d
Instruction ID: 2a81f2267b3e70c2af33791e4fa24d5fd91ec7df70d6543333ea38adf6d45be4
Opcode Fuzzy Hash: ca9537a4e9af77d9ad471cef2e416d76d2ef22ecfb78e22a75f40258ee700e9d
Instruction Fuzzy Hash: C7E0E576114301BBDB015FA1ED0C90ABF39FF59B22B109220F225E1270CB329430EF60

Function 00D0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D0C6EE
_wcslen.LIBCMT ref: 00D0C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D0C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D0C7CA

Strings

0, xrefs: 00D0C6AF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 705348194b5aba2a0afa8b378f67513d6fdd4905648402e81e6c4018b57aaf98
Instruction ID: bff68fd031d1fe04459d976a9827f0499d9a65bf6a32f1e79d4a222c063f9158
Opcode Fuzzy Hash: 705348194b5aba2a0afa8b378f67513d6fdd4905648402e81e6c4018b57aaf98
Instruction Fuzzy Hash: B751B1716243019BD7259F28C885B6B77E8AF85314F082B2DF999D32E0EB70D9059B72

Function 00D2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D2AEA3

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

GetProcessId.KERNEL32(00000000), ref: 00D2AF38
CloseHandle.KERNEL32(00000000), ref: 00D2AF67

Strings

<, xrefs: 00D2AE6B
@, xrefs: 00D2AE72

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 59d2795e3fb5802d1c2d0e1811fe932c35f06a2713b99bacef74cf43582fac31
Instruction ID: c7973620461d8982e14f838728bee23185a309ccd30c5bc379908bc55343f5e4
Opcode Fuzzy Hash: 59d2795e3fb5802d1c2d0e1811fe932c35f06a2713b99bacef74cf43582fac31
Instruction Fuzzy Hash: 06718C71A00629DFCB14EF58D484A9EBBF0FF09318F058499E816AB362D774ED45CBA1

Function 00D36278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0116EBD0,?), ref: 00D362E2
ScreenToClient.USER32(?,?), ref: 00D36315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D36382

Strings

@U=u, xrefs: 00D363DD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 12bff20eaf873191819b6db5503ea6cfcba56094cb309f60f02564744cc6b05c
Instruction ID: a337ce54117ba896861958941391c390a8db2e844435103407a3909a0b913b42
Opcode Fuzzy Hash: 12bff20eaf873191819b6db5503ea6cfcba56094cb309f60f02564744cc6b05c
Instruction Fuzzy Hash: E0510A75A00209EFDB10DF68D8819AE7BB5EB45360F188259F965DB2A0D730ED81CB60

Function 00D02716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021D0,?,?,00000034,00000800,?,00000034), ref: 00D0B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D02760

Part of subcall function 00D0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D0B3F8

Part of subcall function 00D0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D0B355
Part of subcall function 00D0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D02194,00000034,?,?,00001004,00000000,00000000), ref: 00D0B365
Part of subcall function 00D0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D02194,00000034,?,?,00001004,00000000,00000000), ref: 00D0B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D0281A

Strings

@U=u, xrefs: 00D02760, 00D027CD, 00D0281A
@, xrefs: 00D02832

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: d05331d6d84fbf2828d69e3ecbbbad90db1bca363f615f2fb35bc90643789fb0
Instruction ID: 3d3cd7f8284dbcbd068e7c523539ec90ffeffa25299d3d829cda246412052f4d
Opcode Fuzzy Hash: d05331d6d84fbf2828d69e3ecbbbad90db1bca363f615f2fb35bc90643789fb0
Instruction Fuzzy Hash: EF412B76901218AFDB10DFA4CD86BEEBBB8EF09310F148055FA59B7191DB706E45CBA0

Function 00D0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D07206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D0723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D0724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D072CF

Strings

DllGetClassObject, xrefs: 00D07242

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b271808846749c84d469998942c1ed74800927cb24c58f25a5fb2fba83cc61bf
Instruction ID: e3768a7272bbf0953397218f91b29fdbc5a9f3c5a37acd2e063531aa4728f037
Opcode Fuzzy Hash: b271808846749c84d469998942c1ed74800927cb24c58f25a5fb2fba83cc61bf
Instruction Fuzzy Hash: 73413BB1E04204AFDB15CF64C884B9A7BA9EF44310F1580A9BD099F28AD7B1ED45DBB4

Function 00D352C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D35352
GetWindowLongW.USER32(?,000000F0), ref: 00D35375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D35382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D353A8

Strings

@U=u, xrefs: 00D35352

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: adf680affbd72d8f2609d049b067b95c5970c714d0d197ec708469a657bfab7d
Instruction ID: a18376eca604157c9ef1266e70a5341f715a6e73a611bd80de3b2be0d91d800b
Opcode Fuzzy Hash: adf680affbd72d8f2609d049b067b95c5970c714d0d197ec708469a657bfab7d
Instruction Fuzzy Hash: CC31C334A95A08EFEB309F54EC06BE83765EB053D0F5C4101FA51962E5C7B1AD80EB72

Function 00D2C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2C9F1
_wcslen.LIBCMT ref: 00D2CA68
_wcslen.LIBCMT ref: 00D2CA9E
_wcslen.LIBCMT ref: 00D2CAF9
_wcslen.LIBCMT ref: 00D2CB2F
_wcslen.LIBCMT ref: 00D2CB7F

Strings

HKLM, xrefs: 00D2CA98, 00D2CA9D
HKEY_LOCAL_MACHINE, xrefs: 00D2CA62, 00D2CA67

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 9c9ac0b1a62a7c82a75972f076140fd7bde4607b7c74461fbb970162cc2e73e3
Instruction ID: 78c9e5ad12020d31fd7e72d4f426a9393a2e32fb31fdbcb6d79b8904cc3c3c0d
Opcode Fuzzy Hash: 9c9ac0b1a62a7c82a75972f076140fd7bde4607b7c74461fbb970162cc2e73e3
Instruction Fuzzy Hash: D4310433A2017E4BCB20DF6CE8515BE33919BB179CB0D5129E855AB344FA71CE8493B0

Function 00D32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D32F8D
LoadLibraryW.KERNEL32(?), ref: 00D32F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D32FA9
DestroyWindow.USER32(?), ref: 00D32FB1

Strings

SysAnimate32, xrefs: 00D32F68

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 97486f1dae90cc57ee38fd726fcbf68587161be5dd173d7dd95c74e4d98f3954
Instruction ID: f374eaba48fe0de8807ed7c3de9b604d7a87f8e0b0c896fed16a0dc6d639c48e
Opcode Fuzzy Hash: 97486f1dae90cc57ee38fd726fcbf68587161be5dd173d7dd95c74e4d98f3954
Instruction Fuzzy Hash: DF21AC72A04209ABEB104F66DC81EBB77B9EF59368F140228FA50E22A0D771DC919770

Function 00D35660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D356BB
_wcslen.LIBCMT ref: 00D356CD
_wcslen.LIBCMT ref: 00D356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D35816

Strings

@U=u, xrefs: 00D356BB, 00D35816

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 8e3cee7695ab8403a1fe5e4efdf58eded2e4064fb7fc0dc11e9c32414fa13e97
Instruction ID: 1de56c36121b1cc5f402d2ae7ed4cb29e21f511457c8d8dfc8adde96e67541ca
Opcode Fuzzy Hash: 8e3cee7695ab8403a1fe5e4efdf58eded2e4064fb7fc0dc11e9c32414fa13e97
Instruction Fuzzy Hash: A9110075A00618A6DB20DF65EC82AEE37ACEF01760F14802AF905D6085EB70CA80CF70

Function 00CA600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA604C
GetStockObject.GDI32(00000011), ref: 00CA6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA606A

Strings

@U=u, xrefs: 00CA606A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: db2fc674cf4ab2decdb47301fdf39f11bb32fe5736b91ff9ae8e3a64c6d74b89
Instruction ID: 6fc763c7b98d5a62b3269d98f9b68ede8520827371c0c5d409bc46cf1a7a55fb
Opcode Fuzzy Hash: db2fc674cf4ab2decdb47301fdf39f11bb32fe5736b91ff9ae8e3a64c6d74b89
Instruction Fuzzy Hash: D611617250164ABFEF124FA49C45EEABF69EF09398F050215FA1492110D7329DA0EBA4

Function 00CC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CC4D1E,00CD28E9,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002), ref: 00CC4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CC4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00CC4D1E,00CD28E9,?,00CC4CBE,00CD28E9,00D688B8,0000000C,00CC4E15,00CD28E9,00000002,00000000), ref: 00CC4DC3

Strings

mscoree.dll, xrefs: 00CC4D86
CorExitProcess, xrefs: 00CC4D98

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a37f1785eae4daf5f2553776f6fa061c3c51939c9555b8ab710e5ad873fd9cfe
Instruction ID: dbaa1617779cb4faf79125ededa5c62f5ea4de1e89efe2590f9c3a4ee97928b6
Opcode Fuzzy Hash: a37f1785eae4daf5f2553776f6fa061c3c51939c9555b8ab710e5ad873fd9cfe
Instruction Fuzzy Hash: EFF04F35A50308BBDB159F90DC49FADBFB5EF44751F0041A8F906E2260CB705A44DBE1

Function 00CFD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00CFD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CFD3BF
FreeLibrary.KERNEL32(00000000), ref: 00CFD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00CFD3B9
X64, xrefs: 00CFD2A8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 4aba517fd10991d77468d0740e9f5dc867178d65095abb1e1d09bfdfae53f129
Instruction ID: 9996c3edc682493d97e48cd21357732e97043378d829cc6d477771f627d050b8
Opcode Fuzzy Hash: 4aba517fd10991d77468d0740e9f5dc867178d65095abb1e1d09bfdfae53f129
Instruction Fuzzy Hash: 68F020358067289BE7F11B118C489793221AF00B01F519148EB13F2224DB20CE48ABE3

Function 00CA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CA4EAE
FreeLibrary.KERNEL32(00000000,?,?,00CA4EDD,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4EC0

Strings

kernel32.dll, xrefs: 00CA4E94
Wow64DisableWow64FsRedirection, xrefs: 00CA4EA8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: dabe7110163c6e9b30b1beac8e410e7ed59be267503943751a16c5737c4f640c
Instruction ID: 6016597591e8e7fb7522552a87e7828c9e8282217169146ed9b1480157a6974b
Opcode Fuzzy Hash: dabe7110163c6e9b30b1beac8e410e7ed59be267503943751a16c5737c4f640c
Instruction Fuzzy Hash: 9BE08C36A127235B92221B25AC18A6BA658AFC2B66B090115FC01F2240DBA0CE0692F1

Function 00CA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CA4E74
FreeLibrary.KERNEL32(00000000,?,?,00CE3CDE,?,00D71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CA4E87

Strings

kernel32.dll, xrefs: 00CA4E5B
Wow64RevertWow64FsRedirection, xrefs: 00CA4E6E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d78241873623b0ec02900c74663c8e7f46fa58bdb99ba3a1f09053497a4e1ebe
Instruction ID: c7007111b1ffd2ad23836e76d64fd140578782d830959a9074938dee15e984d5
Opcode Fuzzy Hash: d78241873623b0ec02900c74663c8e7f46fa58bdb99ba3a1f09053497a4e1ebe
Instruction Fuzzy Hash: 46D012365127225B56261B257C1CD8BAA58AFC6B553051515B915F2254CFA0CE0196F0

Function 00D2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D2A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D2A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D2A468
CloseHandle.KERNEL32(?), ref: 00D2A63D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8e2fef2ee6efe6a353f316522075a7aae3e24c033a97c813af09d7d22aa114f2
Instruction ID: 9e7685ceb8ab68eccb4a0d4a92dd426865cf4292ed0d70dc9aaeb8a291f50ccf
Opcode Fuzzy Hash: 8e2fef2ee6efe6a353f316522075a7aae3e24c033a97c813af09d7d22aa114f2
Instruction Fuzzy Hash: F8A1BF716047019FD720DF28D882F2AB7E1EF94718F18881DF59A9B392D7B0EC418B92

Function 00CDBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D43700), ref: 00CDBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CDBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D71270,000000FF,?,0000003F,00000000,?), ref: 00CDBC36
_free.LIBCMT ref: 00CDBB7F

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDBD4B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 45c1b52a0b28d54db202e8f09f55bde5f7189dcb4bc15c4ceccfb2d55003895c
Instruction ID: 90fc5ad709cf8d55de2938bf1b0779f234a922c24b2692997c740210ed137b3a
Opcode Fuzzy Hash: 45c1b52a0b28d54db202e8f09f55bde5f7189dcb4bc15c4ceccfb2d55003895c
Instruction Fuzzy Hash: 5D51A775900309EFCB10EF69DC429AEB7B8FF44350B11426BE664D73A1EB709E41AB64

Function 00D0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D0CF22,?), ref: 00D0DDFD

Part of subcall function 00D0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D0CF22,?), ref: 00D0DE16

Part of subcall function 00D0E199: GetFileAttributesW.KERNEL32(?,00D0CF95), ref: 00D0E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D0E473
MoveFileW.KERNEL32(?,?), ref: 00D0E4AC
_wcslen.LIBCMT ref: 00D0E5EB
_wcslen.LIBCMT ref: 00D0E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D0E650

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 656c895f9f6809cc955469bf06e6dda76a4515f23195e85aef980d2fd3648869
Instruction ID: 2f3231109560774d10c89bc8c170eb8b82a71720f86778278358ebb500bc9170
Opcode Fuzzy Hash: 656c895f9f6809cc955469bf06e6dda76a4515f23195e85aef980d2fd3648869
Instruction Fuzzy Hash: 0E515DB24083459BC724EB90D885ADBB3ECEF85344F04492EE589D3191EE75E6888776

Function 00D2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D2B6AE,?,?), ref: 00D2C9B5
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2C9F1
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA68
Part of subcall function 00D2C998: _wcslen.LIBCMT ref: 00D2CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D2BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D2BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D2BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D2BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D2BBB3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b1064e8c3d8dd9f3aa3a74b75600410f28df7e73e97331046d425114ed939e4a
Instruction ID: 6860fc62510c74813bd03d92603b2e4941a5b0ee43f0bab088ae384ff9c7354d
Opcode Fuzzy Hash: b1064e8c3d8dd9f3aa3a74b75600410f28df7e73e97331046d425114ed939e4a
Instruction Fuzzy Hash: C761C131208241AFC314DF24D491E2ABBE5FF8531CF18859DF4998B2A2CB71ED45CBA2

Function 00D08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D08BCD
VariantClear.OLEAUT32 ref: 00D08C3E
VariantClear.OLEAUT32 ref: 00D08C9D
VariantClear.OLEAUT32(?), ref: 00D08D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D08D3B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4365a203392ebd9bcdeeec561f59c061453d597604926dc0cb683991783aa5b3
Instruction ID: b594b44ee96fd3673e31e7b2fcd025eb534d718c677cf23cf67d17815a06722f
Opcode Fuzzy Hash: 4365a203392ebd9bcdeeec561f59c061453d597604926dc0cb683991783aa5b3
Instruction Fuzzy Hash: 18517BB5A10219EFCB10CF68C884AAAB7F8FF89310B158559F949DB350E730E911CFA0

Function 00D18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D18BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D18BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D18C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D18C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D18C5F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c32651cc18b6812f263bd39e730d3e5e1d89434110712a9e36cefc8e3542c8f0
Instruction ID: d5ac5d38e2ca0e0dc86a5d26f2891d3f2620a17dd400e4d01a54d80745da5391
Opcode Fuzzy Hash: c32651cc18b6812f263bd39e730d3e5e1d89434110712a9e36cefc8e3542c8f0
Instruction Fuzzy Hash: C5513D35A00215EFCB05DF64C881AAEBBF5FF49314F088458E849AB362DB35ED51DBA0

Function 00D28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D28F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D28FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D28FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D29032
FreeLibrary.KERNEL32(00000000), ref: 00D29052

Part of subcall function 00CBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D11043,?,75B8E610), ref: 00CBF6E6
Part of subcall function 00CBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CFFA64,00000000,00000000,?,?,00D11043,?,75B8E610,?,00CFFA64), ref: 00CBF70D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 0af289bc0413c090767f1c9778ca2ff79e760a84c9eba991badf50da6f33f42b
Instruction ID: f52c133e1ea2768cca703656777bd3e0413012951488eaec977016bbf38c0873
Opcode Fuzzy Hash: 0af289bc0413c090767f1c9778ca2ff79e760a84c9eba991badf50da6f33f42b
Instruction Fuzzy Hash: A8515E35601215DFC711DF54C5958ADBBF1FF59318F088099E805AB362DB31ED85DBA0

Function 00CD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD20C3
_free.LIBCMT ref: 00CD20E3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 633b5991d2840a0a663d5e598aeee0a45e444b72e728eea3f8ef59689c430909
Instruction ID: 5cb37b8d6af40b88971b676091959f3577f62561bc258645c896fc444b9b5ac7
Opcode Fuzzy Hash: 633b5991d2840a0a663d5e598aeee0a45e444b72e728eea3f8ef59689c430909
Instruction Fuzzy Hash: 6441C532A00200AFCB24DF78C981A6DB7F5EF99314F1585AAE615EB395D731EE01DB90

Function 00CB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CB9141
ScreenToClient.USER32(00000000,?), ref: 00CB915E
GetAsyncKeyState.USER32(00000001), ref: 00CB9183
GetAsyncKeyState.USER32(00000002), ref: 00CB919D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5d0ab9c641882ccdcb0ed90c0e4fe432b4055e9b85a4ec7df3c3b07632ff549e
Instruction ID: 6e4b7998e2bfbff69254cfc82cbfb9ff9a1458e98c9e4647f4f3ab002884c378
Opcode Fuzzy Hash: 5d0ab9c641882ccdcb0ed90c0e4fe432b4055e9b85a4ec7df3c3b07632ff549e
Instruction Fuzzy Hash: F9414F71A0861AFBDF159F68C848BFEB774FF05320F208319E529A7290C7346A54DBA1

Function 00D13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D13922
TranslateMessage.USER32(?), ref: 00D1394B
DispatchMessageW.USER32(?), ref: 00D13955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D13966

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cd7dea54140cb41aa2f96caa1dad567bb5877a196bda01dfe46c7f79cc26232a
Instruction ID: 5c1d365670e9578d120a92dd9ba0c16dbe322310d69df4d022365c6aa24c92a7
Opcode Fuzzy Hash: cd7dea54140cb41aa2f96caa1dad567bb5877a196bda01dfe46c7f79cc26232a
Instruction Fuzzy Hash: 15318874504341BEEB35CB38B849BF63BA4EB05304F080669E4A6D6290EBB496C5CF71

Function 00D1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00D1CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D1CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D1C21E,00000000), ref: 00D1CFF2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f91f300504e94e4d263b5736f8ef3a5bb58e7b5f11df5bb6501f6106597a1a45
Instruction ID: fe6017d6206f9cb5125fd065b162e56bb0e3e9c9b41caf936106685594351893
Opcode Fuzzy Hash: f91f300504e94e4d263b5736f8ef3a5bb58e7b5f11df5bb6501f6106597a1a45
Instruction Fuzzy Hash: 29315A71555305BFDB20DFA5E884AABBBF9EF14310B14542EF516E2240EB30EE829B70

Function 00D01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D01915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D019E2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f8ec66b58def82654fc39190000cc120b195f5cc7e8e2c4f52df6109fd7b351e
Instruction ID: 68b18c8fac297497bd7bca5efca5927f30533d8f01b4497f4c65276cc4d32148
Opcode Fuzzy Hash: f8ec66b58def82654fc39190000cc120b195f5cc7e8e2c4f52df6109fd7b351e
Instruction Fuzzy Hash: 88319C75A00219EFCB00CFA8DD99BDE3BB5EB05315F144229F965E72D1C7709944DBA0

Function 00D20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D20951
GetForegroundWindow.USER32 ref: 00D20968
GetDC.USER32(00000000), ref: 00D209A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D209B0
ReleaseDC.USER32(00000000,00000003), ref: 00D209E8

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 652bcbec2064d793c62cf7c763af27df9656ebd5132a0c99df8fc766d58fdbe4
Instruction ID: 50840dea883d88d993d5ef81c64ca6c4910505f1dc59afccf71074be5d4f9e08
Opcode Fuzzy Hash: 652bcbec2064d793c62cf7c763af27df9656ebd5132a0c99df8fc766d58fdbe4
Instruction Fuzzy Hash: 83216F35A00214AFD704EF69D885AAEBBE9EF45704F048068F84AE7762CB30EC44DB60

Function 00CDCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CDCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CDCDE9

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CDCE0F
_free.LIBCMT ref: 00CDCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CDCE31

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f294e641565c33c54303c021ce63ebab68dc519727d3574dc7ebcc25d8475433
Instruction ID: f4ccee8bfd43d1fde4375063ed2fc6f1b5539412da56ecc7a455988c3a57b4ca
Opcode Fuzzy Hash: f294e641565c33c54303c021ce63ebab68dc519727d3574dc7ebcc25d8475433
Instruction Fuzzy Hash: 640184B26013167F272116BB6CC8D7BBA6DDEC6BA1315012BFA15D7701EA618E01E2B0

Function 00CB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB9693
SelectObject.GDI32(?,00000000), ref: 00CB96A2
BeginPath.GDI32(?), ref: 00CB96B9
SelectObject.GDI32(?,00000000), ref: 00CB96E2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 73f19f14f871451f53f431c5b1c17d1c276cd8c4d4e085eb7cb7786820db93ae
Instruction ID: cfdda9bf872d8f56d48dddc2aad32cc7bd35a49b97d94753b661a6ad366238c1
Opcode Fuzzy Hash: 73f19f14f871451f53f431c5b1c17d1c276cd8c4d4e085eb7cb7786820db93ae
Instruction Fuzzy Hash: F8217F35812305EBDB119F29DC197E97BB8FB10355F100316F628E62B0E3709996DFA0

Function 00D05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D05726
_memcmp.LIBVCRUNTIME ref: 00D05744
_memcmp.LIBVCRUNTIME ref: 00D05757
_memcmp.LIBVCRUNTIME ref: 00D0576F
_memcmp.LIBVCRUNTIME ref: 00D05787

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2bf01e8cb456f56bb2d309baee88e8ab706d38f0c82a9602ac630cdc19e414a6
Instruction ID: e179099bd8a9f403cd3a0a1fd6f8d5bb254a7dae10daa45c573b58a424cb4738
Opcode Fuzzy Hash: 2bf01e8cb456f56bb2d309baee88e8ab706d38f0c82a9602ac630cdc19e414a6
Instruction Fuzzy Hash: 3101BE61641609BFD7189611EE81FBB735C9FA2358F1C4024FD0C5A1C5F760ED14A6B1

Function 00CD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CCF2DE,00CD3863,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6), ref: 00CD2DFD
_free.LIBCMT ref: 00CD2E32
_free.LIBCMT ref: 00CD2E59
SetLastError.KERNEL32(00000000,00CA1129), ref: 00CD2E66
SetLastError.KERNEL32(00000000,00CA1129), ref: 00CD2E6F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f63c696287517817bcb34d6c6b4012c19a27fe690e4975b6f0bfe2d8620e7edb
Instruction ID: ded48248167df5121d10be0891f46440f75f78f2abb7d452d11ea624c4c8fc7c
Opcode Fuzzy Hash: f63c696287517817bcb34d6c6b4012c19a27fe690e4975b6f0bfe2d8620e7edb
Instruction Fuzzy Hash: 2F01D1326057006B861227356C45D2B2759ABE13A3B24442BF775E2792EAA4CD016130

Function 00D0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?,?,00D0035E), ref: 00D0002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?), ref: 00D00064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CFFF41,80070057,?,?), ref: 00D00070

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 26c4818e630c48796a4255c4cca3c53834892f726200da86d06c77f836a21ab8
Instruction ID: 9a704889ea81dc86bf5a909d37aca91db5250af712eb2cb972f2db9e6223a87a
Opcode Fuzzy Hash: 26c4818e630c48796a4255c4cca3c53834892f726200da86d06c77f836a21ab8
Instruction Fuzzy Hash: 2D018F76610304BFDB104F68DC08BAA7EADEB48792F145124F909E2250DB71DE408BB0

Function 00D0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D0E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D0E9A5
Sleep.KERNEL32(00000000), ref: 00D0E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D0E9B7
Sleep.KERNEL32 ref: 00D0E9F3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 83933fe337fdb6cc1e847e0cdaf0cef872ac24e2632ab09394d2268226c0abd4
Instruction ID: becd122e78c95907f2a6f665acbb3ddcacda4e49b3cedba092a2d2e3c5794744
Opcode Fuzzy Hash: 83933fe337fdb6cc1e847e0cdaf0cef872ac24e2632ab09394d2268226c0abd4
Instruction Fuzzy Hash: DA011731D01629DBCF00ABE6ED59BEDFB78FB09701F000956E946B2291CB7096549BB1

Function 00D010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D01114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D0112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D00B9B,?,?,?), ref: 00D01136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0114D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a037454f72b31d6b2349edce8019a0f03e3b193a09ebdd1fcddee65763679665
Instruction ID: d818a71aa53f9ed42daf077cdb7a2743b85444cc7cdc2adb76691de38fad9d7a
Opcode Fuzzy Hash: a037454f72b31d6b2349edce8019a0f03e3b193a09ebdd1fcddee65763679665
Instruction Fuzzy Hash: DC011979210315BFDB154FA5DC49A6A3B6EEF893A0B244419FA49E73A0DA31DC009B70

Function 00D00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D00FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D00FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D00FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D00FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D01002

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ae44524099765b2b52c5ddb3765836f9e758c572fcea9754191346a049409459
Instruction ID: fde9e87755b6bec3d6e7c4f91bbadab9b2de530bd4a500df23392c733f4e48ca
Opcode Fuzzy Hash: ae44524099765b2b52c5ddb3765836f9e758c572fcea9754191346a049409459
Instruction Fuzzy Hash: AAF04939210302ABDB224FA49C4AF5A3BADEF89762F144414FA89E7391CA70DC508B70

Function 00D01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D0102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D01036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01062

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5f8892fa2ab18bf55f5c3850bcc32059cc18b32e071c90f6451773f895df3d9d
Instruction ID: 952c53ef3ead99a5fe1467449a917d66fa50d8203abb71546d8f43cb0c5270f1
Opcode Fuzzy Hash: 5f8892fa2ab18bf55f5c3850bcc32059cc18b32e071c90f6451773f895df3d9d
Instruction Fuzzy Hash: E2F06D39210301EBDB215FA4EC4AF563BADEF89761F140418FA89E7390CA70D8508B70

Function 00D1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10324
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10331
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D1033E
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D1034B
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10358
CloseHandle.KERNEL32(?,?,?,?,00D1017D,?,00D132FC,?,00000001,00CE2592,?), ref: 00D10365

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7c02d725690dffe70a213d9a16980f75ba7841f11d2855dddc842dea5a09bee1
Instruction ID: 9a19aef2626f04e0ba42911a41c4e0e59c478513f481c60b2c17b61bc4342328
Opcode Fuzzy Hash: 7c02d725690dffe70a213d9a16980f75ba7841f11d2855dddc842dea5a09bee1
Instruction Fuzzy Hash: 7401A272800B15AFC730AF66E880452FBF9BF503153198A3FD1A652931C7B1A995DF90

Function 00CDD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CDD752

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CDD764
_free.LIBCMT ref: 00CDD776
_free.LIBCMT ref: 00CDD788
_free.LIBCMT ref: 00CDD79A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 121bb96e487f32cfac66901736bfa74da37ae2f3b75630302f2fecf794591731
Instruction ID: 07c47b4cfcfc2669e4e56b88127c269f35b40e47b4a79780e4b1ce3e47abf65c
Opcode Fuzzy Hash: 121bb96e487f32cfac66901736bfa74da37ae2f3b75630302f2fecf794591731
Instruction Fuzzy Hash: D6F09632950304AB8621FB64F9C1C2677DDBB44310B951C47F2A9D7705C730FC809A70

Function 00D05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D05C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D05C6F
MessageBeep.USER32(00000000), ref: 00D05C87
KillTimer.USER32(?,0000040A), ref: 00D05CA3
EndDialog.USER32(?,00000001), ref: 00D05CBD

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 817360b744b80f63ea25731d489f3cba832025a703153af05a36dd5dda2e6dd4
Instruction ID: 47ce51fec2d8491a0bfe1201125f2b5650420dd3135ee55e5d20bd7940acf3af
Opcode Fuzzy Hash: 817360b744b80f63ea25731d489f3cba832025a703153af05a36dd5dda2e6dd4
Instruction Fuzzy Hash: 0A016D31510B04ABFB215B10EE4FFA67BB8BB00B05F042559A987B11E1DBF4A984CFA4

Function 00CD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CD22BE

Part of subcall function 00CD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000), ref: 00CD29DE
Part of subcall function 00CD29C8: GetLastError.KERNEL32(00000000,?,00CDD7D1,00000000,00000000,00000000,00000000,?,00CDD7F8,00000000,00000007,00000000,?,00CDDBF5,00000000,00000000), ref: 00CD29F0

_free.LIBCMT ref: 00CD22D0
_free.LIBCMT ref: 00CD22E3
_free.LIBCMT ref: 00CD22F4
_free.LIBCMT ref: 00CD2305

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 640d16d9d53646841d2c3c1e9b74d5e7045d01e285000f85d1d92d996953a7d1
Instruction ID: 5c7ecf497af1a8b4224326145596209b74f16681b7a3a84e43301159dc436b55
Opcode Fuzzy Hash: 640d16d9d53646841d2c3c1e9b74d5e7045d01e285000f85d1d92d996953a7d1
Instruction Fuzzy Hash: 31F03A74810320CB8622BF68BC128187F64BB28760700160BF618D33B2EB700991BBB8

Function 00CB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CB95D4
StrokeAndFillPath.GDI32(?,?,00CF71F7,00000000,?,?,?), ref: 00CB95F0
SelectObject.GDI32(?,00000000), ref: 00CB9603
DeleteObject.GDI32 ref: 00CB9616
StrokePath.GDI32(?), ref: 00CB9631

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7052b8df5670a45896dbf1a9b43f20eb02deccf6895bb57e1e06ee4dfbef6438
Instruction ID: dac40fc6769256e10b86d0cbe731b8300a37ba115ef0986a1bd21749f256c3d8
Opcode Fuzzy Hash: 7052b8df5670a45896dbf1a9b43f20eb02deccf6895bb57e1e06ee4dfbef6438
Instruction Fuzzy Hash: 44F0B639016344EBDB265F69ED187A43B65EB01362F048314F679E52F0E7308A96DF31

Function 00CD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CD10F9
__freea.LIBCMT ref: 00CD1117

Part of subcall function 00CD1537: _free.LIBCMT ref: 00CD154F

Strings

a/p, xrefs: 00CD11DE
am/pm, xrefs: 00CD117A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e39da1a7d59c4f85fe88327ae11a42436c2382651e4642389584c8cbd722fbd0
Instruction ID: b50a6cfb02bc00edc6652b35965a438c09d4f8d9b1a2d2130ce8c823b6c9027e
Opcode Fuzzy Hash: e39da1a7d59c4f85fe88327ae11a42436c2382651e4642389584c8cbd722fbd0
Instruction Fuzzy Hash: 85D1D031900246EADB28AF69C855BBEB7B1EF05300F2C415BEF219B761D3759E80CB91

Function 00D27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00CC0242: EnterCriticalSection.KERNEL32(00D7070C,00D71884,?,?,00CB198B,00D72518,?,?,?,00CA12F9,00000000), ref: 00CC024D
Part of subcall function 00CC0242: LeaveCriticalSection.KERNEL32(00D7070C,?,00CB198B,00D72518,?,?,?,00CA12F9,00000000), ref: 00CC028A

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00CC00A3: __onexit.LIBCMT ref: 00CC00A9

__Init_thread_footer.LIBCMT ref: 00D27BFB

Part of subcall function 00CC01F8: EnterCriticalSection.KERNEL32(00D7070C,?,?,00CB8747,00D72514), ref: 00CC0202
Part of subcall function 00CC01F8: LeaveCriticalSection.KERNEL32(00D7070C,?,00CB8747,00D72514), ref: 00CC0235

Strings

5, xrefs: 00D27C78
G, xrefs: 00D27C7F
Variable must be of type 'Object'., xrefs: 00D27C3A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 35ea4bf2fff7fcb13a870977aeadc8415bd5b940c55d99696a232173414abb54
Instruction ID: ea3ff171e32484dde63211f58f7a32767b38ea00b43d026e8c6aa42f851bca72
Opcode Fuzzy Hash: 35ea4bf2fff7fcb13a870977aeadc8415bd5b940c55d99696a232173414abb54
Instruction Fuzzy Hash: 0091AC70A04219EFCB24EF54E881DADB7B1FF55308F148059F846AB292DB31AE45DB71

Function 00CD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\8f5WsFcnTc.exe,00000104), ref: 00CD1769
_free.LIBCMT ref: 00CD1834
_free.LIBCMT ref: 00CD183E

Strings

C:\Users\user\Desktop\8f5WsFcnTc.exe, xrefs: 00CD1760, 00CD1767, 00CD1796, 00CD17CE

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\8f5WsFcnTc.exe
API String ID: 2506810119-3246132998
Opcode ID: 79e7b51217b91eb6b308d6476d73db104f33e570ba66e5b4c7b1adb8dbb2761c
Instruction ID: 795ef62424904a9a78c24a1808206e1b89789b377a4b39208e965ba09969e18d
Opcode Fuzzy Hash: 79e7b51217b91eb6b308d6476d73db104f33e570ba66e5b4c7b1adb8dbb2761c
Instruction Fuzzy Hash: 75319175A00208FBDB21DF99DC85D9EBBFCEB85310B19416BFA04D7351E6708A40EBA0

Function 00D0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D0C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D0C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D71990,011658A8), ref: 00D0C395

Strings

0, xrefs: 00D0C2DF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 383f56fb9084f34b178d9727c78668b35165a10272b85b5c4340c7e948dcc667
Instruction ID: bcd42ea82c81dbf48de4a2d9a4981f75b107712143ad6570c6f2e0a6f964a3a2
Opcode Fuzzy Hash: 383f56fb9084f34b178d9727c78668b35165a10272b85b5c4340c7e948dcc667
Instruction Fuzzy Hash: 33417C312243029FD720DF25D885B5ABBA8EB85320F149B1EF9A9972D1D770A904CB72

Function 00D34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D3CC08,00000000,?,?,?,?), ref: 00D344AA
GetWindowLongW.USER32 ref: 00D344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D344D7

Strings

SysTreeView32, xrefs: 00D3447C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c33f98cb34699359307810443f50006ba5c51560a415573d1f0e0fcebf011abb
Instruction ID: 7d897c9bad34e6184374ab0ef1a3fe41ec684f272468f89a95cf6722defd6a9d
Opcode Fuzzy Hash: c33f98cb34699359307810443f50006ba5c51560a415573d1f0e0fcebf011abb
Instruction Fuzzy Hash: B4318D32210205AFDB209F38DC45BEA77A9EB09334F244725F975E22E0D7B4EC509760

Function 00D2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D23077,?,?), ref: 00D23378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D2307A
_wcslen.LIBCMT ref: 00D2309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D23106

Strings

255.255.255.255, xrefs: 00D23095, 00D2309A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: e90d6dac6ff85d59865307209324a80b398a4dbc1f8b9fa7d4fc23ccb746e82a
Instruction ID: 6c22941f4c53e3917ae4582ae9e5b9ebf12fbcf77a5c550a37a5a45dac0ffdf3
Opcode Fuzzy Hash: e90d6dac6ff85d59865307209324a80b398a4dbc1f8b9fa7d4fc23ccb746e82a
Instruction Fuzzy Hash: 2231B0352043259FCB10CF68D586EAA77E0EF6531CF288059E9158B392DB7AEE41C770

Function 00D34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D34705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D34713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D3471A

Strings

msctls_updown32, xrefs: 00D34684

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5cfab165068162f9da1252805a6d1f49e4a980d87e7719c24cecd47f345d4aba
Instruction ID: 68c7175d087163f3e3ee934903958c3aeb4c0006d300a7af2a5220361dd9ff9f
Opcode Fuzzy Hash: 5cfab165068162f9da1252805a6d1f49e4a980d87e7719c24cecd47f345d4aba
Instruction Fuzzy Hash: 42214AB5600209AFDB10DF68DC81DA637ADEB4A3A8B040159FA049B3A1DB74FC51DAB0

Function 00D095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D0961D

Strings

#OnAutoItStartRegister, xrefs: 00D095F3
#requireadmin, xrefs: 00D095D9
#notrayicon, xrefs: 00D095B7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0119be60e0c364c276eefdf47b5f43c4da883084878886970028c74ca61f0990
Instruction ID: efc0c6f8d5a331405ccd8eb3db2fd5c01b3bc3f22ee815dcf89639e3397323b5
Opcode Fuzzy Hash: 0119be60e0c364c276eefdf47b5f43c4da883084878886970028c74ca61f0990
Instruction Fuzzy Hash: D42138725045116AC331AB25DC26FB7F398AF51310F58402AF98D971C2EB52DD46D2B5

Function 00D337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D33840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D33850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D33876

Strings

Listbox, xrefs: 00D3380F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: aa2bcd428f0e09b98fc61f51b0811775a4aca8dcabc2a6ee6a4e43364c76f81f
Instruction ID: 2df3893257a178b02770f687e22cc328790f7d71c2dc32b684669c55366504a2
Opcode Fuzzy Hash: aa2bcd428f0e09b98fc61f51b0811775a4aca8dcabc2a6ee6a4e43364c76f81f
Instruction Fuzzy Hash: 3A21A1B2610218BBEF218F54DC85FBB376EEF89764F158124F9449B190C671DC5287B0

Function 00D0223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D02258

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D0228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D022CA

Strings

@U=u, xrefs: 00D02258, 00D0228A, 00D022CA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 490b26e558f5a8ee11a5c33b2d56466d8ac8d193ece6a2729ad08b05c460c4c2
Instruction ID: cd836b8bffa6052b4889d6a6a70061d29d563d46b4a674f03a9bd89a6189fff7
Opcode Fuzzy Hash: 490b26e558f5a8ee11a5c33b2d56466d8ac8d193ece6a2729ad08b05c460c4c2
Instruction Fuzzy Hash: 5121D731701304ABDB109BA59D8EFFE3BA8EB59710F085028FA09E72D0D770D94597B1

Function 00D149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D14A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D14A5C
SetErrorMode.KERNEL32(00000000,?,?,00D3CC08), ref: 00D14AD0

Strings

%lu, xrefs: 00D14A6F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a4291e9e6e3452a3f806bc92a97ce2b2921400e30e11e4c0bc2f9534c255c5b4
Instruction ID: 4b5fe2a7864eacd42fea3e8b48ad397b9840df6e7e2edb5a890128aa31e1dfa9
Opcode Fuzzy Hash: a4291e9e6e3452a3f806bc92a97ce2b2921400e30e11e4c0bc2f9534c255c5b4
Instruction Fuzzy Hash: 02317F75A00209AFD710DF54C885EAA7BF8EF05308F148095F909DB252DB71ED45DB71

Function 00D01B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D01B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D01B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00D01B99

Strings

@U=u, xrefs: 00D01B99

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d31271184b52df5cfcf1a92bb482e245a39593d4ee48de62e82abfbafd79a64f
Instruction ID: ccb5feedc403efb5541e2c10a9e4eb3abd26edb1ca53b81bba42fca6475fba06
Opcode Fuzzy Hash: d31271184b52df5cfcf1a92bb482e245a39593d4ee48de62e82abfbafd79a64f
Instruction Fuzzy Hash: 76219635600118BFDB15DB98D941EAEB7FEEF45340F14045AE109E3290DB71AE40DB64

Function 00D20CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00D20D24
SendMessageW.USER32(0000000C,00000000,?), ref: 00D20D65
SendMessageW.USER32(0000000C,00000000,?), ref: 00D20D8D

Strings

@U=u, xrefs: 00D20D24, 00D20D65, 00D20D8D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 621c38312eeaf8baeed13222db5427ca9a2514e7cb6eddd00ada837a8215dbd0
Instruction ID: 9255d86350eb11d7bbb6a9363c9d8880f0c43af2fe1e1158ec570ff6e9994952
Opcode Fuzzy Hash: 621c38312eeaf8baeed13222db5427ca9a2514e7cb6eddd00ada837a8215dbd0
Instruction Fuzzy Hash: 46213835600611AFE710EB68E991D2AB7E6FB0A314B048655F909DBA72D720FC50DBA0

Function 00D341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D3424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D34264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D34271

Strings

msctls_trackbar32, xrefs: 00D34226

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0ba0fb3e5e55bff6f6f3054ead82a39dca2a7a4d1cf352edc583666bc3351fec
Instruction ID: 70eaf927afcb3a403a0765109d5c0ed4326c71dd97940b86b450c656e91a26de
Opcode Fuzzy Hash: 0ba0fb3e5e55bff6f6f3054ead82a39dca2a7a4d1cf352edc583666bc3351fec
Instruction Fuzzy Hash: 9711E031240308BFEF205E29CC06FAB3BACEF85B64F010224FA55E21A0D271E8519B34

Function 00D02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Part of subcall function 00D02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D02DC5
Part of subcall function 00D02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D02DD6
Part of subcall function 00D02DA7: GetCurrentThreadId.KERNEL32 ref: 00D02DDD
Part of subcall function 00D02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D02DE4

GetFocus.USER32 ref: 00D02F78

Part of subcall function 00D02DEE: GetParent.USER32(00000000), ref: 00D02DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D02FC3
EnumChildWindows.USER32(?,00D0303B), ref: 00D02FEB

Strings

%s%d, xrefs: 00D02FFF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 948b1408e5d8726e92d8dd3eeb3f0437d7339f86e1e20db71a56eaa136565823
Instruction ID: d2f46afb90eb980229adb20b783d7b6831cda9279a0181405ba9cf8100b1f40d
Opcode Fuzzy Hash: 948b1408e5d8726e92d8dd3eeb3f0437d7339f86e1e20db71a56eaa136565823
Instruction Fuzzy Hash: CD11AF71700205ABCF15BF649C8AFEE776AEF84304F085075B90DAB292DE3099499B70

Function 00D33429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D334BA

Strings

@U=u, xrefs: 00D334BA
edit, xrefs: 00D3348F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 1cdbfd97c3531672ac8069af41916cd61ef7328c90d894561dce38ef8250e6d5
Instruction ID: cee2b31fcd50e6f8810a1cf585c67848a28b6c39bc8361c39bae8a9024befc69
Opcode Fuzzy Hash: 1cdbfd97c3531672ac8069af41916cd61ef7328c90d894561dce38ef8250e6d5
Instruction Fuzzy Hash: BE118C71100208AFEB228F64DD44AAB376AEB05378F544324F965E32E0C771DCA19B70

Function 00D01CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D01D4C

Strings

ListBox, xrefs: 00D01D16
@U=u, xrefs: 00D01D4C
ComboBox, xrefs: 00D01CEB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 250fa69921cad5da4109ee6be79e985d1462d6d90aa0d4855a8d75d7f275b08a
Instruction ID: 7fc9003d59de370618befe3fde8f8f272cd8a048a6546a9b3e799837d2f91266
Opcode Fuzzy Hash: 250fa69921cad5da4109ee6be79e985d1462d6d90aa0d4855a8d75d7f275b08a
Instruction Fuzzy Hash: 1B01D875601225ABCB04EBA4CC56EFE7368EB47354F040619F876673D1EA3099089770

Function 00D01BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D01C46

Strings

ListBox, xrefs: 00D01C10
@U=u, xrefs: 00D01C46
ComboBox, xrefs: 00D01BE5

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 569a9ca7658ddb662a037aa41171bd678e09f08a644b943cdb36818a78b11e06
Instruction ID: 07a5920c1f55ad450828bba99e33109c51c9c1de6d8d8a9ee527238ef51c7acb
Opcode Fuzzy Hash: 569a9ca7658ddb662a037aa41171bd678e09f08a644b943cdb36818a78b11e06
Instruction Fuzzy Hash: C101A7757811056BDB08EB90C956BFFB7A8DB12344F140019F41A772C1EA24DE4C96B5

Function 00D01C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

Part of subcall function 00D03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D03CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D01CC8

Strings

ListBox, xrefs: 00D01C94
@U=u, xrefs: 00D01CC8
ComboBox, xrefs: 00D01C69

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 4801c5a46b710dd810b06c4abf73ba4740d896c33b7dd0c6a6f6aa067ade366b
Instruction ID: a586625bec0257a22d38af50f10fbaeb1de5f9ed347b01ee4788ae76e42d6643
Opcode Fuzzy Hash: 4801c5a46b710dd810b06c4abf73ba4740d896c33b7dd0c6a6f6aa067ade366b
Instruction Fuzzy Hash: 2C01D675B801196BEB04EBA5CA16BFEB3ACDB12384F140015B80AB32C1EA70DF08D675

Function 00D35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D358EE
DrawMenuBar.USER32(?), ref: 00D358FD

Strings

0, xrefs: 00D3588F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ac99c8e8f74773f0f1ef57e23622726c006ebed87b427e8aa99fba3fb06e23c7
Instruction ID: 1d6cca0e08f95b72883015f7fcda34752bb14af1448f56866782a6c3c957f93d
Opcode Fuzzy Hash: ac99c8e8f74773f0f1ef57e23622726c006ebed87b427e8aa99fba3fb06e23c7
Instruction Fuzzy Hash: 0D018031500258EFDB219F11EC44BEEBBB4FF45360F1480A9E849D6251DB308A94EF31

Function 00D37803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00D718B0,00D3A364,000000FC,?,00000000,00000000,?,?,?,00CF76CF,?,?,?,?,?), ref: 00D37805
GetFocus.USER32 ref: 00D3780D

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

SendMessageW.USER32(0116EBD0,000000B0,000001BC,000001C0), ref: 00D3787A

Strings

@U=u, xrefs: 00D3787A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: c745bb24ee460c431305627e7ec5889effa335557bd1eb0fecb431ad5d9aae8b
Instruction ID: c682f439cb4f8b5cc61f8fdd213d9b4b806d4db84191ecf74e0174eeeafbbe6e
Opcode Fuzzy Hash: c745bb24ee460c431305627e7ec5889effa335557bd1eb0fecb431ad5d9aae8b
Instruction Fuzzy Hash: A6017C756016009FC335DB28D858AA633E6EF8A320F180269E529C73A0DB316C42CFA0

Function 00D0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd7a6c7f012c589099e06b5273bc4845e715195d7697f7318f6d15ab68e4a3
Instruction ID: 9de9c928f975dbb876698e99c807234a88c742e670fc9953d31a7e9871dba9fb
Opcode Fuzzy Hash: 11cd7a6c7f012c589099e06b5273bc4845e715195d7697f7318f6d15ab68e4a3
Instruction Fuzzy Hash: D5C12C75A0021AEFDB15CFA4C894BAEBBB5FF48704F148598E509EB291D731DE41CBA0

Function 00D2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D23459
CoUninitialize.OLE32 ref: 00D23463
VariantInit.OLEAUT32(?), ref: 00D2346E
VariantClear.OLEAUT32(?), ref: 00D2371B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 8d8a25052616ee97d67e6fe5f6c284eb8919761bd6334878bdea7699e8b68562
Instruction ID: fbe029226163988aae6b978e992a8d9408fd064b2c92ff29dd814c3bd2ff61b4
Opcode Fuzzy Hash: 8d8a25052616ee97d67e6fe5f6c284eb8919761bd6334878bdea7699e8b68562
Instruction Fuzzy Hash: 32A16F756043119FC700EF28D885A2AB7E5FF89718F04895DF98A9B362DB34ED01DBA1

Function 00D00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D3FC08,?), ref: 00D005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D3FC08,?), ref: 00D00608
CLSIDFromProgID.OLE32(?,?,00000000,00D3CC40,000000FF,?,00000000,00000800,00000000,?,00D3FC08,?), ref: 00D0062D
_memcmp.LIBVCRUNTIME ref: 00D0064E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 80b58429e047ecd33201e5cbaf758b97555ad574cb52b7e3a2dafbe8f617ea42
Instruction ID: 8b466de0a869d027d1c2e9debfd29009a4855856c5245400963f463f85e0c294
Opcode Fuzzy Hash: 80b58429e047ecd33201e5cbaf758b97555ad574cb52b7e3a2dafbe8f617ea42
Instruction Fuzzy Hash: 9181FE75A00109EFCB04DF94C988EEEBBB9FF89315F144558E516EB290DB71AE06CB60

Function 00CE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE14C0

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 24767c41011c702e52f4ee4aafe382e24c09a2ab7ef4852a1affdf3219cb96bd
Instruction ID: f7d7d1ae325220629ea918f4d5b6bfaa6991662abdeeacf575a67228803eae90
Opcode Fuzzy Hash: 24767c41011c702e52f4ee4aafe382e24c09a2ab7ef4852a1affdf3219cb96bd
Instruction Fuzzy Hash: 31413E35A005906BDB216BBBCC45BBE3AA5EF41330F1C0269FD29D63D2E6348951B272

Function 00D21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D21AFD
WSAGetLastError.WSOCK32 ref: 00D21B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D21B8A
WSAGetLastError.WSOCK32 ref: 00D21B94

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f2bb6c4a03ae3f1fc5934b2a01739cd906fb14d775aaf8abfbf09ed83eef5785
Instruction ID: 6ec5d5077b5272131ca9e34c9e8072470d6c325a01d22102ed00c7d51eb9a42c
Opcode Fuzzy Hash: f2bb6c4a03ae3f1fc5934b2a01739cd906fb14d775aaf8abfbf09ed83eef5785
Instruction Fuzzy Hash: 2541D138600201AFE720AF24D886F2A77E5AB55718F58C448F91A9F3D2D772DD41CBA0

Function 00CDB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64f6a5505b1e893a14c63466c46314e97379ca3a7baa7abafe8bcdc78503561
Instruction ID: cda0bd4a16831265e780ecbc2e0f9e7f909cadb7b9ed31b1081ee468e9171e95
Opcode Fuzzy Hash: e64f6a5505b1e893a14c63466c46314e97379ca3a7baa7abafe8bcdc78503561
Instruction Fuzzy Hash: 9941D171A00244EFD724DF38C841BAABBE9EB88710F11452FF651DB382D7719A019790

Function 00D156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D15783
GetLastError.KERNEL32(?,00000000), ref: 00D157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D157FA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d1aaab5d3b268a853e4d410f2fa194aac51e17d9537d6b0cd8cdbc64c404a558
Instruction ID: 0e2c3154acc8cb66708041be3eb5cb5306e96b4877f0d616b647fc2acf26b939
Opcode Fuzzy Hash: d1aaab5d3b268a853e4d410f2fa194aac51e17d9537d6b0cd8cdbc64c404a558
Instruction Fuzzy Hash: 0A411F39600611DFCB11EF55D585A5EBBE2FF89314B198488E84AAB362CB34FD40DBA1

Function 00CDD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00CC6D71,00000000,00000000,00CC82D9,?,00CC82D9,?,00000001,00CC6D71,8BE85006,00000001,00CC82D9,00CC82D9), ref: 00CDD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CDD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CDD9AB
__freea.LIBCMT ref: 00CDD9B4

Part of subcall function 00CD3820: RtlAllocateHeap.NTDLL(00000000,?,00D71444,?,00CBFDF5,?,?,00CAA976,00000010,00D71440,00CA13FC,?,00CA13C6,?,00CA1129), ref: 00CD3852

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 22f2b382b5eec745cdbc815481f827a0d7b972d7f6ac5783c550efc9c2a81abc
Instruction ID: 7faf747da9a2002988d929bd4ff96ec4bd38e358fca4c79b8081563979d99ddb
Opcode Fuzzy Hash: 22f2b382b5eec745cdbc815481f827a0d7b972d7f6ac5783c550efc9c2a81abc
Instruction Fuzzy Hash: 4531FE72A1020AABDF249F65DC91EBE7BA5EB40310F05016AFD15D7290EB36CE50DBA0

Function 00D0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00D0ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D0AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D0AC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00D0ACC6

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5921694d921020da725de9eabe25f2769fa2f6a9da02aaaefb841110e60be66b
Instruction ID: 69c9765a6b40b3b604393fbc8ecf60b9776fe9a7a1793e5cd1b55a2f3c7f1bd0
Opcode Fuzzy Hash: 5921694d921020da725de9eabe25f2769fa2f6a9da02aaaefb841110e60be66b
Instruction Fuzzy Hash: 07310734A04718AFFF35CB69CC097FE7BA5AB89310F09431AE48D962D1C3758985877A

Function 00D37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D3769A
GetWindowRect.USER32(?,?), ref: 00D37710
PtInRect.USER32(?,?,00D38B89), ref: 00D37720
MessageBeep.USER32(00000000), ref: 00D3778C

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5b51fff253dbac9df26f45cbc94ec69b1fa6bd2bb91d8c218a97e9bb783704f6
Instruction ID: a7e7b7517c306ed1e22019907278597f0f08dbf9d67dd790103e8d276135ae9c
Opcode Fuzzy Hash: 5b51fff253dbac9df26f45cbc94ec69b1fa6bd2bb91d8c218a97e9bb783704f6
Instruction Fuzzy Hash: 31419CB8605A14AFCB21CF58C895EA977F4FB49310F1841A8E524DB361D330E942CFB0

Function 00D316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D316EB

Part of subcall function 00D03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D03A57
Part of subcall function 00D03A3D: GetCurrentThreadId.KERNEL32 ref: 00D03A5E
Part of subcall function 00D03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D025B3), ref: 00D03A65

GetCaretPos.USER32(?), ref: 00D316FF
ClientToScreen.USER32(00000000,?), ref: 00D3174C
GetForegroundWindow.USER32 ref: 00D31752

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d6e7b22bf1bee106ff7cb56a96010d0b87db30a7f6a3bc1e5e0dc56c79be9fe8
Instruction ID: 8451a7a67ffe4380131ae7fd3e1195ded95e879980455a8cdd3c04a4ba1d55f4
Opcode Fuzzy Hash: d6e7b22bf1bee106ff7cb56a96010d0b87db30a7f6a3bc1e5e0dc56c79be9fe8
Instruction Fuzzy Hash: B33121B5D00249AFC704DFA9C881DAEB7FDEF49308B548069E415E7251D731DE45CBA0

Function 00D0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D0D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D0D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D0D52F
CloseHandle.KERNEL32(00000000), ref: 00D0D5DC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: dff6fa6f652f3333f315d43291d58441585e7875a5dfbcc68395598bbd9edd22
Instruction ID: 0cc403b23023b19200f5f6bc90626b6333adc13047e4deeb2e5b1b9fe9f383d6
Opcode Fuzzy Hash: dff6fa6f652f3333f315d43291d58441585e7875a5dfbcc68395598bbd9edd22
Instruction Fuzzy Hash: B83191721083019FD300EF64CC85BAFBBE8EF9A358F14092DF585961E1EB719945DBA2

Function 00D38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

GetCursorPos.USER32(?), ref: 00D39001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CF7711,?,?,?,?,?), ref: 00D39016
GetCursorPos.USER32(?), ref: 00D3905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CF7711,?,?,?), ref: 00D39094

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b724280f7d33b0b56683d51e90b144626d33fe0d03030d40b44ec930501547f5
Instruction ID: 6febfcf3a58037e3d795d3e2a8ef8a029e766f2808a8969ce8e792a1c773d0d2
Opcode Fuzzy Hash: b724280f7d33b0b56683d51e90b144626d33fe0d03030d40b44ec930501547f5
Instruction Fuzzy Hash: 5D21D135600218EFCB298FA8CC68EFABBB9EF49350F084155F90597261D3719990EB70

Function 00D0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D3CB68), ref: 00D0D2FB
GetLastError.KERNEL32 ref: 00D0D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D0D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D3CB68), ref: 00D0D376

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 84fe7038ce901278ec9adea052c51c1fb508f1cf92e838f707b9c4023189f44d
Instruction ID: cb3d848ac8845574e81ed7bf22e6a401ffc7d8ed81416e5e0e7ab5c14a1e370f
Opcode Fuzzy Hash: 84fe7038ce901278ec9adea052c51c1fb508f1cf92e838f707b9c4023189f44d
Instruction Fuzzy Hash: 0D21A1705093029FC700DFA8C88196BB7E4EE56368F544A1EF499D32E1D730D94ACBA3

Function 00D01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D0102A
Part of subcall function 00D01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D01036
Part of subcall function 00D01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01045
Part of subcall function 00D01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0104C
Part of subcall function 00D01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D01062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D015BE
_memcmp.LIBVCRUNTIME ref: 00D015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D01617
HeapFree.KERNEL32(00000000), ref: 00D0161E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f56aa0ba45121b4dae35286a5882b991bbbe83309d163d2e49ea035d322f675e
Instruction ID: d5ce3e44ec7419aafafe9457bacfdd62a530c2bb165ecac8ee4ed3edb9a64e0d
Opcode Fuzzy Hash: f56aa0ba45121b4dae35286a5882b991bbbe83309d163d2e49ea035d322f675e
Instruction Fuzzy Hash: 52217832E00208AFDB14DFA4CD49BEEB7B8EF44344F084459E449AB281E731AA45DBA0

Function 00D32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D3280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D32824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D32832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D32840

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fc79cfc6acc5a13bb010b6ff95a753c44ffac64ba96385b07d922dd6fae0fd9f
Instruction ID: 36dad5dfa52540e9ac41b126f5cc85e0585585a6d4b9ffc93bab044e5a85c446
Opcode Fuzzy Hash: fc79cfc6acc5a13bb010b6ff95a753c44ffac64ba96385b07d922dd6fae0fd9f
Instruction Fuzzy Hash: C121A131A05611AFD7149B24C855FBA7BA5EF45324F188158F466CB6E2C771FC42C7A0

Function 00D078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D0790A,?,000000FF,?,00D08754,00000000,?,0000001C,?,?), ref: 00D08D8C
Part of subcall function 00D08D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00D08DB2
Part of subcall function 00D08D7D: lstrcmpiW.KERNEL32(00000000,?,00D0790A,?,000000FF,?,00D08754,00000000,?,0000001C,?,?), ref: 00D08DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D08754,00000000,?,0000001C,?,?,00000000), ref: 00D07923
lstrcpyW.KERNEL32(00000000,?), ref: 00D07949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D08754,00000000,?,0000001C,?,?,00000000), ref: 00D07984

Strings

cdecl, xrefs: 00D0797B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 47003f6a128d3d0389aecac8277da3c0b54866a99d9c1dbcef4084216c9d33b6
Instruction ID: 4466659afdc102487063e6467e2234823562ab4f5e7c937ce8702609eebb3f18
Opcode Fuzzy Hash: 47003f6a128d3d0389aecac8277da3c0b54866a99d9c1dbcef4084216c9d33b6
Instruction Fuzzy Hash: E211B43A600341AFCB155F34D845EBA77A9FF45350B54402AE94ACB3A4EB71D811DBB1

Function 00D37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D37D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D37D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D37D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D1B7AD,00000000), ref: 00D37D6B

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c1c803b10b84db20d3f646f3ee8b194363f563b92a6b06eae16aeb36601714c5
Instruction ID: d5fec4c01086028f394e7e785c56d51006ea8335b696b57b6c23220b6dcbae36
Opcode Fuzzy Hash: c1c803b10b84db20d3f646f3ee8b194363f563b92a6b06eae16aeb36601714c5
Instruction Fuzzy Hash: 2511DF72214A54EFCB208F28DC04AA63BA4AF45360F198324F939D72F0E730C952DB60

Function 00D01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D01A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D01A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D01A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D01A8A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 096e13cb119c49c7a2f2d56afada9fb63130da9762c9a602e74a6d9882d152aa
Instruction ID: 6b061dcd810ea03a11c46235013cec7d16eb44a48767dfbdb25c8ed4a84c0c3d
Opcode Fuzzy Hash: 096e13cb119c49c7a2f2d56afada9fb63130da9762c9a602e74a6d9882d152aa
Instruction Fuzzy Hash: 8711FA3AA01219FFEB119BA5CD85FADBB78EB04754F200091E604B7290D6716E51DBA4

Function 00D0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D0E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D0E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D0E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D0E24D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0361c4ad605c399c426a0455df0b45232291e7831d20c6132a3cf121f491e8a4
Instruction ID: cfb620cb10dd0b0855ab46921476a02eb59ce51bc2520d0621b3428cc1decf4f
Opcode Fuzzy Hash: 0361c4ad605c399c426a0455df0b45232291e7831d20c6132a3cf121f491e8a4
Instruction Fuzzy Hash: 7C11AD76904358BBC7019BA8AC09B9A7BACAB45324F044769F929E3391E6B0C94487B0

Function 00CCD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00CCCFF9,00000000,00000004,00000000), ref: 00CCD218
GetLastError.KERNEL32 ref: 00CCD224
__dosmaperr.LIBCMT ref: 00CCD22B
ResumeThread.KERNEL32(00000000), ref: 00CCD249

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 8d1003379ca001ec579ebf3d3dbf06b1654ad2e1d3f5bce846d37f11369c8d48
Instruction ID: 70f1bee55d6ebb65f382c6a4ed949c79743a96c68afed9093278f78a5aebf20f
Opcode Fuzzy Hash: 8d1003379ca001ec579ebf3d3dbf06b1654ad2e1d3f5bce846d37f11369c8d48
Instruction Fuzzy Hash: 7A01D276805204BBCB216BA5DC09FAE7A6DDF81331F20022DF926921D0CB70CD41E7A0

Function 00CC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CC3B56

Part of subcall function 00CC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CC3AD2
Part of subcall function 00CC3AA3: ___AdjustPointer.LIBCMT ref: 00CC3AED

_UnwindNestedFrames.LIBCMT ref: 00CC3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CC3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00CC3BA4

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 50cfa37b2020b7fe82f3beca904313014b8739cd062866351e8570080e37d389
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E0010C32100189BBDF125E95DC46EEB7F7EEF58754F048018FE5896121C732E961EBA0

Function 00CD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CA13C6,00000000,00000000,?,00CD301A,00CA13C6,00000000,00000000,00000000,?,00CD328B,00000006,FlsSetValue), ref: 00CD30A5
GetLastError.KERNEL32(?,00CD301A,00CA13C6,00000000,00000000,00000000,?,00CD328B,00000006,FlsSetValue,00D42290,FlsSetValue,00000000,00000364,?,00CD2E46), ref: 00CD30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CD301A,00CA13C6,00000000,00000000,00000000,?,00CD328B,00000006,FlsSetValue,00D42290,FlsSetValue,00000000), ref: 00CD30BF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8539b6737afcaef4e2887e9c3a5b11c39b0c45278b06f7953506ed67160a5d92
Instruction ID: e64f0b9406c5c596ce4357ed7eea4688d6e0a45d846cc5ef5c1cd7406fd38d20
Opcode Fuzzy Hash: 8539b6737afcaef4e2887e9c3a5b11c39b0c45278b06f7953506ed67160a5d92
Instruction Fuzzy Hash: 49012B36311362ABCB314B79AC449577B98AF45B61B140621FB15F3380D721EA01C7F1

Function 00D07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D0747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D07497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D074CA

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3b9fef2a1edb097ad38900ba9353de3d0b36bfc76c7c2c4cbdad6cdfa985f4ac
Instruction ID: 05c20d061389f11af8cfd0f0a11012cd28502c534bc628186ed6d5f7470a99d4
Opcode Fuzzy Hash: 3b9fef2a1edb097ad38900ba9353de3d0b36bfc76c7c2c4cbdad6cdfa985f4ac
Instruction Fuzzy Hash: 2E1180B5A05315AFE7208F54EC09F927FFCEB00B04F108569A65AEA191D7B0F904DB70

Function 00D0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D0ACD3,?,00008000), ref: 00D0B126

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7617ff0a15e48bbace7e6127c23c287aba3dc757e50347794fad70956f549c46
Instruction ID: bb790c3e7c60658f9020b5543013f488875f311db1a743785d700f4696d5265e
Opcode Fuzzy Hash: 7617ff0a15e48bbace7e6127c23c287aba3dc757e50347794fad70956f549c46
Instruction Fuzzy Hash: 26113C31D05718D7CF009FA4D9587EEBB78FF1A721F104086D945B2281CB7095509B72

Function 00D02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D02DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D02DD6
GetCurrentThreadId.KERNEL32 ref: 00D02DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D02DE4

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6d833fb474ba774ac9e27776e06e838e0ca1a882e620d7a819e1da7d95deaac0
Instruction ID: 627a46026a9c8e80171f92ba161ec65b0e73296ffd2a0de8f05596f87dbf832e
Opcode Fuzzy Hash: 6d833fb474ba774ac9e27776e06e838e0ca1a882e620d7a819e1da7d95deaac0
Instruction Fuzzy Hash: 9CE092716123247BDB201B729C0EFFB3E6CEF42BA1F041015F109E11909AA4C840C7F0

Function 00D38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB9693
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96A2
Part of subcall function 00CB9639: BeginPath.GDI32(?), ref: 00CB96B9
Part of subcall function 00CB9639: SelectObject.GDI32(?,00000000), ref: 00CB96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D38887
LineTo.GDI32(?,?,?), ref: 00D38894
EndPath.GDI32(?), ref: 00D388A4
StrokePath.GDI32(?), ref: 00D388B2

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cdbd167efcdfef795879ff015df212bfc92b56f8dbf1eac3cf00909374924c55
Instruction ID: 4229e7b4008b76d762b654967f62d21e5ee42b8a24c6416ec23341f02751d7b2
Opcode Fuzzy Hash: cdbd167efcdfef795879ff015df212bfc92b56f8dbf1eac3cf00909374924c55
Instruction Fuzzy Hash: A4F03A36055758BADB125F98AC09FCA3B69AF06310F088100FB12B52E2C7B55551DFF5

Function 00CB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CB98CC
SetTextColor.GDI32(?,?), ref: 00CB98D6
SetBkMode.GDI32(?,00000001), ref: 00CB98E9
GetStockObject.GDI32(00000005), ref: 00CB98F1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 99115a795775c9fc74cfa0b62cf9a11f312b87d53dee56a339c08dfc1fb770a0
Instruction ID: 51f3b0ed170682a5fe63536b5c9666f338cb21fd7fac9fe836569c064d4e7372
Opcode Fuzzy Hash: 99115a795775c9fc74cfa0b62cf9a11f312b87d53dee56a339c08dfc1fb770a0
Instruction Fuzzy Hash: A6E06531254744AADB215B74EC09BE83F10EB11375F049319F7F9A41E1C3724640DB21

Function 00D0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D01634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D011D9), ref: 00D0163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D011D9), ref: 00D01648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D011D9), ref: 00D0164F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0b7e5ab564a8984e0351e3a482787ed0442bd6bacfc226fb8971a64c416e7bb9
Instruction ID: 7b8fc1c1c8602545a25564c9920689b00ca609e522f88515d01a987679d71fa4
Opcode Fuzzy Hash: 0b7e5ab564a8984e0351e3a482787ed0442bd6bacfc226fb8971a64c416e7bb9
Instruction Fuzzy Hash: B8E08C36612311EBD7301FA0AE0DB873B7CAF44792F188808F249E9080E7348444CB74

Function 00CFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CFD858
GetDC.USER32(00000000), ref: 00CFD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CFD882
ReleaseDC.USER32(?), ref: 00CFD8A3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0ad12e34c14c58922ae02c7b970ea77c06a5b2da40cb010ff55343ace5f4b10a
Instruction ID: 277a280f43b3b21ebd874f32cbeb362800718645effb782d4908eeeadf373eea
Opcode Fuzzy Hash: 0ad12e34c14c58922ae02c7b970ea77c06a5b2da40cb010ff55343ace5f4b10a
Instruction Fuzzy Hash: DCE01AB1810305DFCB41AFA1D84D66DBBB2FB08310F109009F846F7360D7388901AF60

Function 00CFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CFD86C
GetDC.USER32(00000000), ref: 00CFD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CFD882
ReleaseDC.USER32(?), ref: 00CFD8A3

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ae09b8265559444941ff7070d662719112ada7c6980c8599a70e348aeedcf05
Instruction ID: 0d34a8d7be79c6598d4450e52170f660835ba03f1741a622ab10595385112e69
Opcode Fuzzy Hash: 3ae09b8265559444941ff7070d662719112ada7c6980c8599a70e348aeedcf05
Instruction Fuzzy Hash: 45E012B1810304EFCB40AFA0D84D66DBBB1BB08310F10A008F84AF7360DB389901AF60

Function 00D14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA7620: _wcslen.LIBCMT ref: 00CA7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D14ED4

Strings

*, xrefs: 00D14E10
LPT, xrefs: 00D14DFB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 973d4b2d496a5e685e61b54e099b8f1662a030fe18b53b556dfc63a3c0257d88
Instruction ID: d23c2c9ecd1ef3002fc0483317c62d0cf95c1b77b26bf644f0360bd7d42d0d17
Opcode Fuzzy Hash: 973d4b2d496a5e685e61b54e099b8f1662a030fe18b53b556dfc63a3c0257d88
Instruction Fuzzy Hash: 63915175A00205AFCB14DF58D484EEABBF1BF45308F198099E4459F352DB35ED86CB60

Function 00CCE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CCE30D

Strings

pow, xrefs: 00CCE2E5, 00CCE302

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 043009a4813db92cc64d7793e719c56cb527b1ae7c1005633e97801a9ecf295d
Instruction ID: 924bdefaf34d657871346e78faa073d176ff832918a35d0f89ffc17dd8b69e08
Opcode Fuzzy Hash: 043009a4813db92cc64d7793e719c56cb527b1ae7c1005633e97801a9ecf295d
Instruction Fuzzy Hash: 7A515C61A0C3029ACB157B14C901B7A3BA4AF42740F744E9EF5E5823F9FB348D95AA46

Function 00CBE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00CBE1B1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 54330777d9d696ae9c3f6555ee07e1950a6e992eabbcec26d1619e56307b1086
Instruction ID: 612820167b9c31bc5b9d03414d6ebdae3445f6078f47cba7bec5eeb86c202f07
Opcode Fuzzy Hash: 54330777d9d696ae9c3f6555ee07e1950a6e992eabbcec26d1619e56307b1086
Instruction Fuzzy Hash: 5751593550434ADFDB15EF68C081AFA7BA4EF16710F244066FD619B2E0D7349E42DBA2

Function 00CBF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CBF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CBF2BB

Strings

@, xrefs: 00CBF2AF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f909c854986455cf5ca09f9424480250b631ad3daf1bf8ed665fed04b3698a00
Instruction ID: e2d1cbc1bb6b6581b1653929f96de6dd6480934e84ede9c5e8a52f61f4898f5b
Opcode Fuzzy Hash: f909c854986455cf5ca09f9424480250b631ad3daf1bf8ed665fed04b3698a00
Instruction Fuzzy Hash: 445134724087499FD320AF54DC86BABBBF8FB85304F81885DF199811A5EB708529CB66

Function 00D02999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D029EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00D02A8D

Part of subcall function 00D02C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00D02CE0

Strings

@U=u, xrefs: 00D029EB, 00D02A8D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 187809f6f6bdcc1d2873542d3f852332c469c73bc05265c08363b399ec4f0ca7
Instruction ID: 8d273e916ead6b60a7955c5caeb692efcc530105d3a1305411ba7c80c275ef39
Opcode Fuzzy Hash: 187809f6f6bdcc1d2873542d3f852332c469c73bc05265c08363b399ec4f0ca7
Instruction Fuzzy Hash: C3419130A01209ABDF25DF54C84ABFE7BB9EF45714F080029F909A32D1DB709A45DBB1

Function 00D25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D257E0
_wcslen.LIBCMT ref: 00D257EC

Strings

CALLARGARRAY, xrefs: 00D257E6, 00D257EB

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0783617a5925859681a0dd02ffbc52a4f75ab2e04bab1217b4e27f75223a512d
Instruction ID: e4de321e68d12cc4717815a2207614e6bdb2a89b2519fa7b17fc277d8c643822
Opcode Fuzzy Hash: 0783617a5925859681a0dd02ffbc52a4f75ab2e04bab1217b4e27f75223a512d
Instruction Fuzzy Hash: D141A131A001199FCB04DFA8E881DAEFBB5FF69318F144029E505A7295D770DD81DBA0

Function 00D1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D1D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D1D13A

Strings

|, xrefs: 00D1D10B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 768de2e701f369b616a4a68d7673ef23b5d7dc4efaacc3f44ff3616bccf1d57d
Instruction ID: 6218b5b6783c23dcccf9751c709389e479265025691869224ce40ec7effab1d2
Opcode Fuzzy Hash: 768de2e701f369b616a4a68d7673ef23b5d7dc4efaacc3f44ff3616bccf1d57d
Instruction Fuzzy Hash: 21311971D00219BBCF15EFE4DC85AEEBFBAFF05304F040019E815A6166DB35AA46DB60

Function 00D3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D33621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D3365C

Strings

static, xrefs: 00D335BC

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 599b13124aeff6dcdaafcb46492999a3f9f1cabaa6fc9598dc5c1ecbe83e9a55
Instruction ID: 1cef76c26efa56ae50b742cc477caf4f4f7b7448adb5408c99d54fc0f0708fbf
Opcode Fuzzy Hash: 599b13124aeff6dcdaafcb46492999a3f9f1cabaa6fc9598dc5c1ecbe83e9a55
Instruction Fuzzy Hash: A9319A72110204AEDB209F68DC81EFB73A9FF88764F149619F8A5D7290DA30ED91DB70

Function 00D34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D3461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D34634

Strings

', xrefs: 00D3458E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 21be11103693d6397f0957937303ca494949176b6705a4c6ab20af3f277c685f
Instruction ID: 7ba6ffa81d72a3ddfec19cbbac4027bbb4b3dc8f20bbb2f72f495fd593a3d120
Opcode Fuzzy Hash: 21be11103693d6397f0957937303ca494949176b6705a4c6ab20af3f277c685f
Instruction Fuzzy Hash: 8D312575A0130A9FDB14CFA9C981BDABBB5FF09300F14406AE904AB391E774E941CFA0

Function 00D0286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D02884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D028B6

Strings

@U=u, xrefs: 00D02884, 00D028B6

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 974498594fff3ca5f8b7a216c3bff4bb9b33b16ffd553a264ffaa86630c4222b
Instruction ID: e5c57af28f16595742fd9df203b33f77bf29f983c58f5e269f2cf8883e448594
Opcode Fuzzy Hash: 974498594fff3ca5f8b7a216c3bff4bb9b33b16ffd553a264ffaa86630c4222b
Instruction Fuzzy Hash: 97214936E00215ABCB15AF94D885EBFB7B9EF89714F044019F909B72D0EA709C41CBB0

Function 00D03BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D03D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D03C23
_strlen.LIBCMT ref: 00D03C2E

Strings

@U=u, xrefs: 00D03C23

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: deb9bd6511ffca6b522f40825a4b4c5960e1b834b7b89a33f63058475d9282fc
Instruction ID: 773b1abed415cfd2a8781398939277b9860e866f0c4d5fa5e49194979e705718
Opcode Fuzzy Hash: deb9bd6511ffca6b522f40825a4b4c5960e1b834b7b89a33f63058475d9282fc
Instruction Fuzzy Hash: CF11DA3270011527DB296E78D892ABE776C8F56B44F14003DF94AEB2D2DE20DE4297F8

Function 00D3336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0ED19: GetLocalTime.KERNEL32 ref: 00D0ED2A
Part of subcall function 00D0ED19: _wcslen.LIBCMT ref: 00D0ED3B
Part of subcall function 00D0ED19: _wcslen.LIBCMT ref: 00D0ED79
Part of subcall function 00D0ED19: _wcslen.LIBCMT ref: 00D0EDAF
Part of subcall function 00D0ED19: _wcslen.LIBCMT ref: 00D0EDDF
Part of subcall function 00D0ED19: _wcslen.LIBCMT ref: 00D0EDEF
Part of subcall function 00D0ED19: _wcslen.LIBCMT ref: 00D0EE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 00D3340A

Strings

SysDateTimePick32, xrefs: 00D333C7
@U=u, xrefs: 00D3340A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: eb58b56945ac5a1af8e08715b1d479619efa3c273afe89ecd5750f95d81b1045
Instruction ID: fb17857aeb08bd4a3acb485390e08b35ea7986b26ccee22f90287236a2d8d85c
Opcode Fuzzy Hash: eb58b56945ac5a1af8e08715b1d479619efa3c273afe89ecd5750f95d81b1045
Instruction Fuzzy Hash: 332103323502096FEF229E54DC82FEE33AAEB44754F244519F940EB1D0DAB5EC8087B0

Function 00D0215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D02178

Part of subcall function 00D0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D0B355
Part of subcall function 00D0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D02194,00000034,?,?,00001004,00000000,00000000), ref: 00D0B365
Part of subcall function 00D0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D02194,00000034,?,?,00001004,00000000,00000000), ref: 00D0B37B

Part of subcall function 00D0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021D0,?,?,00000034,00000800,?,00000034), ref: 00D0B42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 00D021DF

Part of subcall function 00D0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D0B3F8

Strings

@U=u, xrefs: 00D02178, 00D021DF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 8b345f6150f31e803c3542a0a62d5144f984a26732a1490bce1680d1f00ae8e1
Instruction ID: 740c8fd0af1add182e0fe64e4715295d2bc7c3b13a8bb1aade63609e450879fe
Opcode Fuzzy Hash: 8b345f6150f31e803c3542a0a62d5144f984a26732a1490bce1680d1f00ae8e1
Instruction Fuzzy Hash: 5E215C31902229ABEF15ABA8DC45FEDBBB8FF08354F1001A6E548A61D0EA705A44DB64

Function 00D331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D3327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D33287

Strings

Combobox, xrefs: 00D33249

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 54241be1e0c340c22dd320259f3a1c341b625db206acfbe20eb58f1030204191
Instruction ID: cdb64d383a8ac77db60958c81e7c06029cd3f6171ed9fe2f6629da51181c8d07
Opcode Fuzzy Hash: 54241be1e0c340c22dd320259f3a1c341b625db206acfbe20eb58f1030204191
Instruction Fuzzy Hash: E711E2753002087FEF219F54DD81EBB376AEB943A4F140228F918DB290D6319D618770

Function 00D33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CA604C
Part of subcall function 00CA600E: GetStockObject.GDI32(00000011), ref: 00CA6060
Part of subcall function 00CA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CA606A

GetWindowRect.USER32(00000000,?), ref: 00D3377A
GetSysColor.USER32(00000012), ref: 00D33794

Strings

static, xrefs: 00D33757

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6afa73490b0f6e7fe2759abc18eab60b28c3b853b7185c8be4e0e13ff0fe7a18
Instruction ID: 3f1c512968133706c21444c71cec612f36b6c7b465f68b1b42b7baf413a7b68b
Opcode Fuzzy Hash: 6afa73490b0f6e7fe2759abc18eab60b28c3b853b7185c8be4e0e13ff0fe7a18
Instruction Fuzzy Hash: 901137B261020AAFDF00DFA8CD46EFA7BB8FB08354F045914F955E2250E775E861DB60

Function 00D36181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D361FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00D36225

Strings

@U=u, xrefs: 00D361FC, 00D36225

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a8ae18ae7227533b0054185bb41b88747bedb4b6989ff4aa4a00029590efd00d
Instruction ID: 762e6d7147d0006a1a2af923af26d39c8cfc7cbdf407ca5e0a39a7b31daaa6f6
Opcode Fuzzy Hash: a8ae18ae7227533b0054185bb41b88747bedb4b6989ff4aa4a00029590efd00d
Instruction Fuzzy Hash: 9211BF39140214BFEB108F68DC1AFBB3BA4EB0A714F558115FA56EA1E1D3B0DA00DB78

Function 00D1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D1CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D1CDA6

Strings

<local>, xrefs: 00D1CD66

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 33f24b611ed72f4d3606d8ff525e1411b4655ccef08b984f823c3d73b0e84a57
Instruction ID: c47936c6f93446e113ff99edb601ac8b2b38f5ce52851bb97e4c250328d0c387
Opcode Fuzzy Hash: 33f24b611ed72f4d3606d8ff525e1411b4655ccef08b984f823c3d73b0e84a57
Instruction Fuzzy Hash: 8E11C6B12A56317AD7344B66BC45EE7BE6CEF127A4F005226B549D3180DB709881D6F0

Function 00D34F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00D34FCC

Strings

@U=u, xrefs: 00D34FCC, 00D35008

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 0b153d3bc1dd1c6c0f985050f46c996ff037f909c04ca189aeb137ba1115e2d2
Instruction ID: b692cad3f6ca04fbfd337412e0df9c6ccfffc73ef9cf191fa525af78e53ed750
Opcode Fuzzy Hash: 0b153d3bc1dd1c6c0f985050f46c996ff037f909c04ca189aeb137ba1115e2d2
Instruction Fuzzy Hash: F221D37A61021AEFCB15CFA8D9408EA7BB5FF4D344B044154FA05A7324D732EA21EBA0

Function 00D330D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00D33147

Strings

@U=u, xrefs: 00D33147
button, xrefs: 00D3311E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: e03ca9ccce4c21295087264a9592de051caa7d65ffd75032b6ae859492de6dfc
Instruction ID: 38b70ae921121e0abbf5d23d91d478d7bad347dcdaa5719871ce3f0b5ee517d1
Opcode Fuzzy Hash: e03ca9ccce4c21295087264a9592de051caa7d65ffd75032b6ae859492de6dfc
Instruction Fuzzy Hash: EC11A132250309ABDF118F64DC41FEA3B6AEB08354F140214FE54A7190C776E8A1AB70

Function 00D06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CA9CB3: _wcslen.LIBCMT ref: 00CA9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D06CB6
_wcslen.LIBCMT ref: 00D06CC2

Strings

STOP, xrefs: 00D06CBC, 00D06CC1

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 202e11ac6a510f914dbb24c4b5efa62b7c54acda562c70f929e69f9c75d4f76b
Instruction ID: 5046c9626966f31829b48e0c3008aef2515cf9be671c859b9e71d7fc23eb1460
Opcode Fuzzy Hash: 202e11ac6a510f914dbb24c4b5efa62b7c54acda562c70f929e69f9c75d4f76b
Instruction Fuzzy Hash: 8A012232A005278BDB20AFBDDC81BBF3BB4EF61714B040528E866972D0EB31D860C670

Function 00D023DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021D0,?,?,00000034,00000800,?,00000034), ref: 00D0B42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D0243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D0245E

Strings

@U=u, xrefs: 00D0243B, 00D0245E

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 3317536b7609b9a943f385b285486a33bdd5576476b7850b3b3b46444fbf4d78
Instruction ID: 9983dc95414d1c18c047fdabcd73d446043c5ae8236fb4cbe0235b0a3410451f
Opcode Fuzzy Hash: 3317536b7609b9a943f385b285486a33bdd5576476b7850b3b3b46444fbf4d78
Instruction Fuzzy Hash: A701F932900218ABEB116F64DC4AFFEBB78DB14324F10402AF559B61D1DB709E44CB70

Function 00D34366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D343AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00D34408

Strings

@U=u, xrefs: 00D343AF

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 37d7359153ef8185f54eb26b9ff602b2bccf105be5b5c956b1984df5b75a7d8c
Instruction ID: f2a0c816c02f657460dc353dc0b73b56838fd89401fb3dec5ce0720cb5e30e97
Opcode Fuzzy Hash: 37d7359153ef8185f54eb26b9ff602b2bccf105be5b5c956b1984df5b75a7d8c
Instruction Fuzzy Hash: 6B11BC30500744AFE721CF24C891BEBBBE4BF06310F14891CE8AB97291CB71B941DB60

Function 00D0250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00D02531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00D02564

Part of subcall function 00D0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D0B3F8

Part of subcall function 00CA6B57: _wcslen.LIBCMT ref: 00CA6B6A

Strings

@U=u, xrefs: 00D02531, 00D02564

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 61b6baff0c82a90a2a6a09ee2fa683fdb388154400eca1506568c0c4c750dd6e
Instruction ID: 96757ff42e9ee37d4cd6f9d0d1c0bf9588c55abd30a9cc08969d2cc6d2cd4591
Opcode Fuzzy Hash: 61b6baff0c82a90a2a6a09ee2fa683fdb388154400eca1506568c0c4c750dd6e
Instruction Fuzzy Hash: 29016D71901118AFDB50AF90DC95EED77ACEB14344F80D0A6F649A6190DE305E88DBA0

Function 00D390A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CB9BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00CF769C,?,?,?), ref: 00D39111

Part of subcall function 00CB9944: GetWindowLongW.USER32(?,000000EB), ref: 00CB9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00D390F7

Strings

@U=u, xrefs: 00D390F7

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: d60793fec9166a7e312d32adba02c80590031bd4f0ca8f3dd110c621244547c0
Instruction ID: 874dd13083fbb24eea07d862c79522c2b6e3b901080c42df285c93221e65c691
Opcode Fuzzy Hash: d60793fec9166a7e312d32adba02c80590031bd4f0ca8f3dd110c621244547c0
Instruction Fuzzy Hash: 2C01B135100304ABDB219F18DC59EA67BA6EB85365F140118FA556B3E1C7B26841DB70

Function 00D0246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D02480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D02497

Part of subcall function 00D023DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D0243B

Strings

@U=u, xrefs: 00D02480, 00D02497

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 12cd94fb70235643f2ba460e9079b8630922f8a78c498db93cf4705d313f6f1d
Instruction ID: 5783b387bb63643b17b7bfc8e24c6e6be83d9c2b83f1aa2bd79cdee05d6c9954
Opcode Fuzzy Hash: 12cd94fb70235643f2ba460e9079b8630922f8a78c498db93cf4705d313f6f1d
Instruction Fuzzy Hash: A6F0E230602121BBEB211B16DC0FDEFBF6DDF56760B100014F409E21A1C6A19D41C7B0

Function 00D2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D27493
_wcslen.LIBCMT ref: 00D274B9

Strings

3, 3, 16, 1, xrefs: 00D27483

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9919a41b3de19afba31e62a804d2710c24c17259c8915673f3ca82edc1bbf1d8
Instruction ID: 1a047bf6fb8894682a43e2d390f5201abb051282355e0c97b9187f84e8f15203
Opcode Fuzzy Hash: 9919a41b3de19afba31e62a804d2710c24c17259c8915673f3ca82edc1bbf1d8
Instruction Fuzzy Hash: F5E02B026042301092353279FCC1EBF568DCFD6754714182FF981C2266EAA4CD93A3B0

Function 00D02BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D02BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D02C2A

Strings

@U=u, xrefs: 00D02BFA, 00D02C2A

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: af284bcb419f1abe5e2743ec2ce851d3b55f5486a35c34e429d5f009e3587bb9
Instruction ID: 645eae3478ac9f78595e39841d74c857fcfb737c9ae6f94a7da96d89a4f44421
Opcode Fuzzy Hash: af284bcb419f1abe5e2743ec2ce851d3b55f5486a35c34e429d5f009e3587bb9
Instruction Fuzzy Hash: 62F0A076340304BFFA116B84EC8BFBA3B58EB14761F001014F7496A1E0C9E25C0097B0

Function 00D02D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D02884
Part of subcall function 00D0286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D028B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00D02D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D02D90

Strings

@U=u, xrefs: 00D02D80, 00D02D90

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d2122fec629812922bc4bf68a303e2b59b9a88af7e30110c68c81998f045c435
Instruction ID: d88ae010e888131ae419ebf8fdd29a80ac934f997131d5b6bf42304ce31d8910
Opcode Fuzzy Hash: d2122fec629812922bc4bf68a303e2b59b9a88af7e30110c68c81998f045c435
Instruction Fuzzy Hash: F2E092392443057BF6210A519C4EFB3375CD758755F101026F208A51E1DAE2CC105670

Function 00D35829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 00D35855
InvalidateRect.USER32(?,?,00000001), ref: 00D35877

Strings

@U=u, xrefs: 00D35855

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 192fc87683aa0b04c6cad64f1bbbb887d2caa4634a2c26e75eb663162dc1e6f1
Instruction ID: 9cc5f4373bbe2f1ebc712d0e0fb00baf61a52279a33f0d08b97a5724dea331a9
Opcode Fuzzy Hash: 192fc87683aa0b04c6cad64f1bbbb887d2caa4634a2c26e75eb663162dc1e6f1
Instruction Fuzzy Hash: 26F08272604140AFDB20CB65EC45FEEBBF8EB86321F0441B2E55AE9165D6308A91CF30

Function 00D00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D00B23

Strings

Error allocating memory., xrefs: 00D00B1C
AutoIt, xrefs: 00D00B17

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0abd4e3c6c537c6f4b21043d3c83b3cc355edd353e12273b768bb8bc2746aba7
Instruction ID: 5cebbeda0eefabdb72e7b50456d4ea0c2d1b5d535933b810f8b6b6b2dbdb3992
Opcode Fuzzy Hash: 0abd4e3c6c537c6f4b21043d3c83b3cc355edd353e12273b768bb8bc2746aba7
Instruction Fuzzy Hash: 53E0DF322943183AD2143794BC03FC97A848F05B61F10042EFB98A56C38AE264902BB9

Function 00CC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CBF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CC0D71,?,?,?,00CA100A), ref: 00CBF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00CA100A), ref: 00CC0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CA100A), ref: 00CC0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CC0D7F

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fd52611ed9ffd2189174ac1855d200638a2efc8b035c7b9021c1e9738d2a91cd
Instruction ID: 6469c54dd53a937c9d3a5914ee781518d5cf5d5ffaa3fe8551d0e49d3cf2cec4
Opcode Fuzzy Hash: fd52611ed9ffd2189174ac1855d200638a2efc8b035c7b9021c1e9738d2a91cd
Instruction Fuzzy Hash: 00E06D742007118BD3209FB8D8087427BE0AB00744F104A6DE886D6751DBB4E4848BA1

Function 00CFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CFD220

Strings

X64, xrefs: 00CFD2A8
%.3d, xrefs: 00CFD22B

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 47566c175de3756d3829ac0cce003d28584e62ea2f8d81dbab2da113b2cfa1d0
Instruction ID: b5832b0183d19afbb4bbcf4772c6bc3bc00edb8d8e6f7df8de5274ede666ada4
Opcode Fuzzy Hash: 47566c175de3756d3829ac0cce003d28584e62ea2f8d81dbab2da113b2cfa1d0
Instruction Fuzzy Hash: 80D012A180810CEACBD097D2DC458FAB37DAB18301F508452FA07E1140E624C90867A3

Function 00D32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D3236C
PostMessageW.USER32(00000000), ref: 00D32373

Part of subcall function 00D0E97B: Sleep.KERNEL32 ref: 00D0E9F3

Strings

Shell_TrayWnd, xrefs: 00D32365

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8fed50e796ee3a5ae519efbd102c6e9fd11a5d23cb9fc7a52532c72748717051
Instruction ID: 400ecca2a56c477a1bdb346ccf986838beb86c932390a8d06c149f2e48b50d13
Opcode Fuzzy Hash: 8fed50e796ee3a5ae519efbd102c6e9fd11a5d23cb9fc7a52532c72748717051
Instruction Fuzzy Hash: F4D0C9323913107BE664A770AC0FFC676149B05B10F1059167645FA2E0C9A0A8058B74

Function 00D32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D3232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D3233F

Part of subcall function 00D0E97B: Sleep.KERNEL32 ref: 00D0E9F3

Strings

Shell_TrayWnd, xrefs: 00D32325

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 073d4945b70a41aa7da866c418609e28697394de21e4e3e277e5eb463dab5db7
Instruction ID: c738f89cd80bfd3dc83ef20b62d93f8361cac4145089b47b2c57e12c84f36fd6
Opcode Fuzzy Hash: 073d4945b70a41aa7da866c418609e28697394de21e4e3e277e5eb463dab5db7
Instruction Fuzzy Hash: 41D012363A4310BBE664B770EC0FFC67A149B00B10F1059167749FA2E0C9F0A805CB74

Function 00D02313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D0231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00D0232D

Strings

@U=u, xrefs: 00D0231F, 00D0232D

Memory Dump Source

Source File: 00000000.00000002.1460242936.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.1460228029.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D3C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460316546.0000000000D62000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460434032.0000000000D6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460475291.0000000000D74000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_8f5WsFcnTc.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c1330916563c9eae40737719fb135f86cbca92f5620445e9f1c9103e5b51b5f4
Instruction ID: c6f541e2a8512db9d9afaff8c129fc78bf434eabe71edf500b260df9a3c6b2bb
Opcode Fuzzy Hash: c1330916563c9eae40737719fb135f86cbca92f5620445e9f1c9103e5b51b5f4
Instruction Fuzzy Hash: B9C00231150280BBE6211B67AD0ED573E3DE7DAF517102158B215E51B586650055D634

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8f5WsFcnTc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_a7e47327-a6cd-4a75-a021-f666aba22f2d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER645F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER648F.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

C:\Users\user\AppData\Local\Temp\WER548F.tmp.WERDataCollectionStatus.txt

C:\Users\user\AppData\Local\Temp\aut4E06.tmp

C:\Users\user\AppData\Local\Temp\aut4E46.tmp

C:\Users\user\AppData\Local\Temp\autD2CB.tmp

C:\Users\user\AppData\Local\Temp\autD32A.tmp

C:\Users\user\AppData\Local\Temp\autD74F.tmp

C:\Users\user\AppData\Local\Temp\autD899.tmp

C:\Users\user\AppData\Local\Temp\jailless

Windows Analysis Report
8f5WsFcnTc.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre