Edit tour

Windows Analysis Report
jsLnybSs43.exe

Overview

General Information

Sample name:	jsLnybSs43.exe renamed because original name is a hash value
Original sample name:	02c3b5f839835e6735b68fdda6047a51ba7e15185ee2ecfb9453c851dcea792b.exe
Analysis ID:	1466958
MD5:	1578aa8133e0536d5fa8de7c24d73387
SHA1:	1e14d2f296db56eeedb9034e68931534fc83d2b3
SHA256:	02c3b5f839835e6735b68fdda6047a51ba7e15185ee2ecfb9453c851dcea792b
Tags:	exeFormbook
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

jsLnybSs43.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\jsLnybSs43.exe" MD5: 1578AA8133E0536D5FA8DE7C24D73387)

name.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\jsLnybSs43.exe" MD5: 1578AA8133E0536D5FA8DE7C24D73387)

RegSvcs.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\jsLnybSs43.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

newfile.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

newfile.exe (PID: 7840 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 8000 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 1578AA8133E0536D5FA8DE7C24D73387)

RegSvcs.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.jaszredony.hu", "Username": "info@jaszredony.hu", "Password": "jRedony77"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2651546459.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1719617635.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3463a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34756:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34832:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34958:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3463a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34756:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34832:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34958:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: name.exe PID: 7332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 7332	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: name.exe PID: 7332	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7384	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: name.exe PID: 8000	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: name.exe PID: 8000	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: name.exe PID: 8000	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 8020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8020	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.name.exe.f70000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.name.exe.f70000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.name.exe.f70000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.name.exe.f70000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3463a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34756:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34832:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34958:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3463a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34756:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34832:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34958:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.name.exe.f70000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.name.exe.f70000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.name.exe.f70000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x327c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3283a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x328c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32956:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x329c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32a32:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32ac8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32b58:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.name.exe.36c0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.name.exe.36c0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.name.exe.36c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x327c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3283a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x328c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32956:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x329c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32a32:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32ac8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32b58:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.name.exe.36c0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.name.exe.36c0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.name.exe.36c0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.name.exe.36c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x345c8:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3463a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x346c4:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34756:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x347c0:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34832:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x348c8:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34958:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 7944, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7384, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 7944, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.jaszredony.hu", "Username": "info@jaszredony.hu", "Password": "jRedony77"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: jsLnybSs43.exe

ReversingLabs: Detection: 75%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jsLnybSs43.exe

Joe Sandbox ML: detected

Source: jsLnybSs43.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 00000004.00000000.1538573179.0000000000872000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1413880038.0000000003700000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1414047576.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1715619380.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1716043993.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1413880038.0000000003700000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1414047576.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1715619380.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1716043993.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 00000004.00000000.1538573179.0000000000872000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F7DBBE
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F4C2A2 FindFirstFileExW,	0_2_00F4C2A2
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F868EE FindFirstFileW,FindClose,	0_2_00F868EE
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00F8698F
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F7D076
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F7D3A9
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F89642
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8979D
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00F89B2B
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F85C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00D9DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D6C2A2 FindFirstFileExW,	2_2_00D6C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA68EE FindFirstFileW,FindClose,	2_2_00DA68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_00DA698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00D9D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00D9D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DA9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DA979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00DA9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00DA5C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.name.exe.f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 178.238.222.77:26

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 178.238.222.77 178.238.222.77

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: TARHELYHU TARHELYHU

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00F8CE44

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.jaszredony.hu

Source: RegSvcs.exe, 00000003.00000002.1723315657.0000000006180000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000003.00000002.1719178917.00000000012C9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2650028167.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1718639487.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2650342180.0000000000C04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 0000000B.00000002.2654731734.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOhX
Source: RegSvcs.exe, 00000003.00000002.1723315657.0000000006180000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 0000000B.00000002.2654731734.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.comodoca.cRX
Source: RegSvcs.exe, 00000003.00000002.1719617635.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: name.exe, 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000003.00000002.1719178917.00000000012C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting3c3
Source: RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.jaszredony.hu
Source: RegSvcs.exe, 00000003.00000002.1723315657.0000000006180000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1718639487.000000000127E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2650342180.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000003.00000002.1719617635.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: name.exe, 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000003.00000002.1723315657.0000000006180000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.name.exe.36c0000.1.raw.unpack, SKTzxzsJw.cs	.Net Code: VFcsem
Source: 10.2.name.exe.f70000.1.raw.unpack, SKTzxzsJw.cs	.Net Code: VFcsem

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F8EAFF

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00F8ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00DAED6A

Source: C:\Users\user\Desktop\jsLnybSs43.exe

0_2_00F8EAFF

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F7AA57

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00FA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00FA9576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00DC9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.name.exe.f70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.name.exe.f70000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: jsLnybSs43.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: jsLnybSs43.exe, 00000000.00000000.1390020262.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0175e436-e
Source: jsLnybSs43.exe, 00000000.00000000.1390020262.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_14e835c2-3
Source: jsLnybSs43.exe, 00000000.00000003.1398855634.00000000042D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bbf3cda8-b
Source: jsLnybSs43.exe, 00000000.00000003.1398855634.00000000042D1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e8397617-e
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000002.00000002.1417185249.0000000000DF2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0bc8f327-0
Source: name.exe, 00000002.00000002.1417185249.0000000000DF2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b6522870-6
Source: name.exe, 0000000A.00000000.1704930660.0000000000DF2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0632abee-f
Source: name.exe, 0000000A.00000000.1704930660.0000000000DF2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7174a6da-5
Source: jsLnybSs43.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd026bfd-f
Source: jsLnybSs43.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_47ef725e-0
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_def38c47-2
Source: name.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fde7e906-7

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F7D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F7D5EB

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F71201

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00F7E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_00D9E8F6

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F18060	0_2_00F18060
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F82046	0_2_00F82046
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F78298	0_2_00F78298
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F4E4FF	0_2_00F4E4FF
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F4676B	0_2_00F4676B
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00FA4873	0_2_00FA4873
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F1CAF0	0_2_00F1CAF0
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F3CAA0	0_2_00F3CAA0
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F2CC39	0_2_00F2CC39
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F46DD9	0_2_00F46DD9
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F191C0	0_2_00F191C0
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F2B119	0_2_00F2B119
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F31394	0_2_00F31394
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F31706	0_2_00F31706
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F3781B	0_2_00F3781B
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F319B0	0_2_00F319B0
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F2997D	0_2_00F2997D
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F17920	0_2_00F17920
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F37A4A	0_2_00F37A4A
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F37CA7	0_2_00F37CA7
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F31C77	0_2_00F31C77
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F49EEE	0_2_00F49EEE
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F9BE44	0_2_00F9BE44
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F31F32	0_2_00F31F32
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_026D3670	0_2_026D3670
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D3BF40	2_2_00D3BF40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA2046	2_2_00DA2046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D38060	2_2_00D38060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D98298	2_2_00D98298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D6E4FF	2_2_00D6E4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D6676B	2_2_00D6676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DC4873	2_2_00DC4873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D3CAF0	2_2_00D3CAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D5CAA0	2_2_00D5CAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D4CC39	2_2_00D4CC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D66DD9	2_2_00D66DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D391C0	2_2_00D391C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D4B119	2_2_00D4B119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D51394	2_2_00D51394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D51706	2_2_00D51706
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D5781B	2_2_00D5781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D519B0	2_2_00D519B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D4997D	2_2_00D4997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D37920	2_2_00D37920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D57A4A	2_2_00D57A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D57CA7	2_2_00D57CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D51C77	2_2_00D51C77
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D69EEE	2_2_00D69EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DBBE44	2_2_00DBBE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D51F32	2_2_00D51F32
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00CE3670	2_2_00CE3670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02D4F200	3_2_02D4F200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02D4B4B8	3_2_02D4B4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02D44AD0	3_2_02D44AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02D4E970	3_2_02D4E970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02D43EB8	3_2_02D43EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02D44200	3_2_02D44200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0669C880	3_2_0669C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0669B25C	3_2_0669B25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A6638	3_2_066A6638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A55F0	3_2_066A55F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066AB280	3_2_066AB280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A2360	3_2_066A2360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A0040	3_2_066A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066AC1D0	3_2_066AC1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A7DC8	3_2_066A7DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A76E8	3_2_066A76E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066AE3F8	3_2_066AE3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A5D40	3_2_066A5D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06CD3500	3_2_06CD3500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_066A0006	3_2_066A0006
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 4_2_012F0BC0	4_2_012F0BC0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00ED3670	10_2_00ED3670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010BF1E1	11_2_010BF1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010BB498	11_2_010BB498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010B4AD0	11_2_010B4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010B3EB8	11_2_010B3EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010B4200	11_2_010B4200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010BE960	11_2_010BE960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06266638	11_2_06266638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0626B495	11_2_0626B495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_062655F0	11_2_062655F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06267DC8	11_2_06267DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_062630A8	11_2_062630A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0626C1D0	11_2_0626C1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_062676E8	11_2_062676E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06265D2F	11_2_06265D2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0626E3F8	11_2_0626E3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06260040	11_2_06260040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06A33500	11_2_06A33500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0626003B	11_2_0626003B

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: String function: 00F2F9F2 appears 40 times
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: String function: 00F19CB3 appears 31 times
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: String function: 00F30A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00D50A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00D4F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00D39CB3 appears 31 times

Source: jsLnybSs43.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 10.2.name.exe.f70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.name.exe.f70000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 2.2.name.exe.36c0000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.name.exe.36c0000.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/14@3/2

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F837B5 GetLastError,FormatMessageW,

0_2_00F837B5

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F710BF AdjustTokenPrivileges,CloseHandle,	0_2_00F710BF
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00F716C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D910BF AdjustTokenPrivileges,CloseHandle,	2_2_00D910BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00D916C3

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F851CD

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F9A67C

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00F8648E

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F142A2

Source: C:\Users\user\Desktop\jsLnybSs43.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03

Source: C:\Users\user\Desktop\jsLnybSs43.exe

File created: C:\Users\user\AppData\Local\Temp\aut7353.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: jsLnybSs43.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jsLnybSs43.exe

ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\jsLnybSs43.exe

File read: C:\Users\user\Desktop\jsLnybSs43.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jsLnybSs43.exe "C:\Users\user\Desktop\jsLnybSs43.exe"
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\jsLnybSs43.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\jsLnybSs43.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\jsLnybSs43.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\jsLnybSs43.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: jsLnybSs43.exe

Static file information: File size 1190400 > 1048576

Source: jsLnybSs43.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jsLnybSs43.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jsLnybSs43.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jsLnybSs43.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jsLnybSs43.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jsLnybSs43.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jsLnybSs43.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: newfile.exe, 00000004.00000000.1538573179.0000000000872000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.1413880038.0000000003700000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1414047576.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1715619380.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1716043993.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.1413880038.0000000003700000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.1414047576.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1715619380.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.1716043993.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: newfile.exe, 00000004.00000000.1538573179.0000000000872000.00000002.00000001.01000000.00000007.sdmp, newfile.exe.3.dr

Source: jsLnybSs43.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jsLnybSs43.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jsLnybSs43.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jsLnybSs43.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jsLnybSs43.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F142DE

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F30A76 push ecx; ret	0_2_00F30A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D50A76 push ecx; ret	2_2_00D50A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06694A50 push 140679DAh; iretd	3_2_06694A5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0626429D push ebx; ret	11_2_062642DA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe			Jump to dropped file
Source: C:\Users\user\Desktop\jsLnybSs43.exe	File created: C:\Users\user\AppData\Local\directory\name.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F2F98E
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00FA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00FA1C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00D4F98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00DC1C41

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: name.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 8000, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98447
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: CE3294
Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: ED3294

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: name.exe, 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8113	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1752	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8197	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1666	Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe	API coverage: 3.8 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.1 %

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 7648	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F7DBBE
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F4C2A2 FindFirstFileExW,	0_2_00F4C2A2
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F868EE FindFirstFileW,FindClose,	0_2_00F868EE
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00F8698F
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F7D076
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F7D3A9
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F89642
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8979D
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00F89B2B
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00F85C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00D9DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D6C2A2 FindFirstFileExW,	2_2_00D6C2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA68EE FindFirstFileW,FindClose,	2_2_00DA68EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_00DA698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00D9D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00D9D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DA9642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DA979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00DA9B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DA5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_00DA5C97

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97451	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97338	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95787	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95089	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94609	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: name.exe, 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: RegSvcs.exe, 00000003.00000002.1723315657.0000000006180000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_02D470B0 CheckRemoteDebuggerPresent,

3_2_02D470B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F8EAA2 BlockInput,

0_2_00F8EAA2

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F42622

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F142DE

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F34CE8 mov eax, dword ptr fs:[00000030h]	0_2_00F34CE8
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_026D3560 mov eax, dword ptr fs:[00000030h]	0_2_026D3560
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_026D3500 mov eax, dword ptr fs:[00000030h]	0_2_026D3500
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_026D1E70 mov eax, dword ptr fs:[00000030h]	0_2_026D1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D54CE8 mov eax, dword ptr fs:[00000030h]	2_2_00D54CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00CE3560 mov eax, dword ptr fs:[00000030h]	2_2_00CE3560
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00CE3500 mov eax, dword ptr fs:[00000030h]	2_2_00CE3500
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00CE1E70 mov eax, dword ptr fs:[00000030h]	2_2_00CE1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00ED3560 mov eax, dword ptr fs:[00000030h]	10_2_00ED3560
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00ED1E70 mov eax, dword ptr fs:[00000030h]	10_2_00ED1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_00ED3500 mov eax, dword ptr fs:[00000030h]	10_2_00ED3500

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F70B62

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F42622
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F3083F
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F309D5 SetUnhandledExceptionFilter,	0_2_00F309D5
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F30C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D62622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D5083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D509D5 SetUnhandledExceptionFilter,	2_2_00D509D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00D50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00D50C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D0E008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 824008			Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe

0_2_00F71201

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F52BA5

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F7B226 SendInput,keybd_event,

0_2_00F7B226

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F922DA

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\jsLnybSs43.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe

0_2_00F70B62

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F71663

Source: jsLnybSs43.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: jsLnybSs43.exe, name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F30698 cpuid

0_2_00F30698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F88195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00F88195

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F6D27A GetUserNameW,

0_2_00F6D27A

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F4B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00F4B952

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Code function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F142DE

Source: C:\Users\user\Desktop\jsLnybSs43.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.2.name.exe.f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2651546459.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1719617635.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8020, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 10.2.name.exe.f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8020, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.2.name.exe.f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2651546459.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1719617635.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 8000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8020, type: MEMORYSTR

Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00F91204
Source: C:\Users\user\Desktop\jsLnybSs43.exe	Code function: 0_2_00F91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00F91806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_00DB1204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_00DB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00DB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	221 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	841 Security Software Discovery	SSH	3 Clipboard Data	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	351 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jsLnybSs43.exe	75%	ReversingLabs	Win32.Trojan.AgentTesla
jsLnybSs43.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\name.exe	75%	ReversingLabs	Win32.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\newfile\newfile.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting3c3	0%	Avira URL Cloud	safe
http://crt.comodoca.cRX	0%	Avira URL Cloud	safe
http://mail.jaszredony.hu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.jaszredony.hu	178.238.222.77	true	true		unknown
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting3c3	RegSvcs.exe, 00000003.00000002.1719178917.00000000012C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000003.00000002.1723315657.0000000006180000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2654731734.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.jaszredony.hu	RegSvcs.exe, 00000003.00000002.1719617635.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002C14000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	name.exe, 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.comodoca.cRX	RegSvcs.exe, 0000000B.00000002.2654731734.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1719617635.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000003.00000002.1719617635.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2651546459.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
178.238.222.77	mail.jaszredony.hu	Hungary		43359	TARHELYHU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466958
Start date and time:	2024-07-03 15:44:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jsLnybSs43.exe renamed because original name is a hash value
Original Sample Name:	02c3b5f839835e6735b68fdda6047a51ba7e15185ee2ecfb9453c851dcea792b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/14@3/2
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target newfile.exe, PID 7576 because it is empty
Execution Graph export aborted for target newfile.exe, PID 7840 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: jsLnybSs43.exe

Simulations

Behavior and APIs

Time	Type	Description
09:45:56	API Interceptor	101x Sleep call for process: RegSvcs.exe modified
15:45:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
15:46:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
15:46:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	BomqT2a55e.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	H1sut2Xo3r.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	1ppvR5VRT6.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	BUBIJ0OwLP.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7Pqym5wyq5.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
178.238.222.77	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse
	temp.exe	Get hash	malicious	AgentTesla	Browse
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse
	whitegick.exe	Get hash	malicious	AgentTesla	Browse
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.jaszredony.hu	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	temp.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	whitegick.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
ip-api.com	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	BomqT2a55e.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	H1sut2Xo3r.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1ppvR5VRT6.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	BUBIJ0OwLP.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7Pqym5wyq5.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TARHELYHU	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	temp.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	whitegick.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	FC4311009.exe	Get hash	malicious	AgentTesla	Browse	178.238.222.77
	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	178.238.211.25
	#U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	185.51.188.44
TUT-ASUS	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	BomqT2a55e.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	H1sut2Xo3r.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1ppvR5VRT6.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	BUBIJ0OwLP.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7Pqym5wyq5.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\newfile\newfile.exe	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse
	fiDe44VTwh.exe	Get hash	malicious	AgentTesla	Browse
	TRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	llD1w4ROY5.exe	Get hash	malicious	AgentTesla	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse
	54dse57Lv7.exe	Get hash	malicious	AgentTesla	Browse
	001 Tech. Spec pdf.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\aut7353.tmp

Download File

Process:	C:\Users\user\Desktop\jsLnybSs43.exe
File Type:	data
Category:	dropped
Size (bytes):	162582
Entropy (8bit):	7.948504820557971
Encrypted:	false
SSDEEP:	3072:eZ8+JSEz5CIJgxoFwBXQd8v+k4NYJUG7PT0uqJLYOa+3:O8+JJz5D+oFwBXQxk4Nk30uuLzn3
MD5:	82F015955A379EDC4BD2AEC25CB61599
SHA1:	E89F9065C78D2AF56FBB60E7E64661FA9BB09FD6
SHA-256:	17A5A2A25ED4D5680FECD1D81D693A01AA9688B04B4768B3BEEE2E1306AEF8CA
SHA-512:	6CD119E3CF5942C488B031B8CDC77A72DED612D8D882FCA5473028DFB1E57311819BA89CF7BED402011A740AC2CA6E3BC4A51338CC61AAD94296875D985E9F6C
Malicious:	false
Reputation:	low
Preview:	EA06.....[:.Z..P..f4N~.cS..j...bmA...5z..mG....J...0..jt....@.q...+t.}^c.."...g;l.L+.+..8.Q...;.N...5V.C.K...9y.^g.i..7;.W.`...B&58mR.M...p.\|...y.R.T.Lh.t.I.t.?.P.......s...l..%F.U..H.z.]..R.Y..Wb.P....j.f.)..j.Z.........ps........j..G.1.R.A~../.3W..@.{8..jp....h59...t.ykS.$@..........u.Ug1....R.W"...CZ..j ......Ej....$..+Uz..........2...".Y......`..\|.\..jS...Y..4....M.W.:?@..[....^....%.R.uO%.cR..6^YW..,..w..rQU..`.J.......)...U....^.q...srl.v.4..9..N.7.Q'..4.-Z....]....Mb....m...;..M.uX..q.......n{...rk..m.r..Bu<.^f.Z4.ay.M&.I]c.2...+.f.7..{z.....l.U..{..[..u;..-.s...u.Z@.Y]..(..e`.,..t. ..v..I.:.h.As.."............R...I.AN."sH..:3...L.EY.=..._......w....M.r.....z..h7..D.r(R......p7...Y..K.......&.z%^.I..!t......M.T:.V}Q..l...;i.l.}.M....>..............H...Cd.,pk=9._..,uu...CUY..6..$.A7.J,R..W6.N't:..;...n.Y]zx....>.\.Rj :..io.U.5..^Mk.L)<.5F.P..`Sj.v[c..#.j.^%(..k3[v..O.Pj.....6...r..^.4...0..B...&..d.....+T....}...p..z..h.I..#S.....oW..q...m

C:\Users\user\AppData\Local\Temp\aut7393.tmp

Download File

Process:	C:\Users\user\Desktop\jsLnybSs43.exe
File Type:	data
Category:	dropped
Size (bytes):	9824
Entropy (8bit):	7.604515338445106
Encrypted:	false
SSDEEP:	192:G7U22a8T/o87KtDDM+a2MnUjWfDOV/LEcKgtsZAwU+MZTrGgOtR:G7iJ7o8etDDM+adUjMOxDKtRgRalH
MD5:	ABA92F2655AD8F6134356CC63D52C843
SHA1:	233AF7289A89BC37AC1E550C9007ADB7DE13F7FD
SHA-256:	2BE85FBAC899A8E4419F70CAC992FB85EC27BEFC28B9EA6AF0DF2B8B1E55674E
SHA-512:	7ABCDD4AB53A32E9338B08265ECB74DECF175C1FEBE869481E94EE600DD8E4F9A04629F3F6077FC8228ED0EBCCD5A18D5F79111DB3553933FE4BA988D172D29F
Malicious:	false
Reputation:	low
Preview:	EA06..t..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........\|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.\|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K\|..c.Mm.@..[..._..p......>Kx#G.o..3\|w...G.4..&@8_..kp..i\|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...\|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

C:\Users\user\AppData\Local\Temp\aut777A.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	162582
Entropy (8bit):	7.948504820557971
Encrypted:	false
SSDEEP:	3072:eZ8+JSEz5CIJgxoFwBXQd8v+k4NYJUG7PT0uqJLYOa+3:O8+JJz5D+oFwBXQxk4Nk30uuLzn3
MD5:	82F015955A379EDC4BD2AEC25CB61599
SHA1:	E89F9065C78D2AF56FBB60E7E64661FA9BB09FD6
SHA-256:	17A5A2A25ED4D5680FECD1D81D693A01AA9688B04B4768B3BEEE2E1306AEF8CA
SHA-512:	6CD119E3CF5942C488B031B8CDC77A72DED612D8D882FCA5473028DFB1E57311819BA89CF7BED402011A740AC2CA6E3BC4A51338CC61AAD94296875D985E9F6C
Malicious:	false
Preview:	EA06.....[:.Z..P..f4N~.cS..j...bmA...5z..mG....J...0..jt....@.q...+t.}^c.."...g;l.L+.+..8.Q...;.N...5V.C.K...9y.^g.i..7;.W.`...B&58mR.M...p.\|...y.R.T.Lh.t.I.t.?.P.......s...l..%F.U..H.z.]..R.Y..Wb.P....j.f.)..j.Z.........ps........j..G.1.R.A~../.3W..@.{8..jp....h59...t.ykS.$@..........u.Ug1....R.W"...CZ..j ......Ej....$..+Uz..........2...".Y......`..\|.\..jS...Y..4....M.W.:?@..[....^....%.R.uO%.cR..6^YW..,..w..rQU..`.J.......)...U....^.q...srl.v.4..9..N.7.Q'..4.-Z....]....Mb....m...;..M.uX..q.......n{...rk..m.r..Bu<.^f.Z4.ay.M&.I]c.2...+.f.7..{z.....l.U..{..[..u;..-.s...u.Z@.Y]..(..e`.,..t. ..v..I.:.h.As.."............R...I.AN."sH..:3...L.EY.=..._......w....M.r.....z..h7..D.r(R......p7...Y..K.......&.z%^.I..!t......M.T:.V}Q..l...;i.l.}.M....>..............H...Cd.,pk=9._..,uu...CUY..6..$.A7.J,R..W6.N't:..;...n.Y]zx....>.\.Rj :..io.U.5..^Mk.L)<.5F.P..`Sj.v[c..#.j.^%(..k3[v..O.Pj.....6...r..^.4...0..B...&..d.....+T....}...p..z..h.I..#S.....oW..q...m

C:\Users\user\AppData\Local\Temp\aut7827.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9824
Entropy (8bit):	7.604515338445106
Encrypted:	false
SSDEEP:	192:G7U22a8T/o87KtDDM+a2MnUjWfDOV/LEcKgtsZAwU+MZTrGgOtR:G7iJ7o8etDDM+adUjMOxDKtRgRalH
MD5:	ABA92F2655AD8F6134356CC63D52C843
SHA1:	233AF7289A89BC37AC1E550C9007ADB7DE13F7FD
SHA-256:	2BE85FBAC899A8E4419F70CAC992FB85EC27BEFC28B9EA6AF0DF2B8B1E55674E
SHA-512:	7ABCDD4AB53A32E9338B08265ECB74DECF175C1FEBE869481E94EE600DD8E4F9A04629F3F6077FC8228ED0EBCCD5A18D5F79111DB3553933FE4BA988D172D29F
Malicious:	false
Preview:	EA06..t..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........\|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.\|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K\|..c.Mm.@..[..._..p......>Kx#G.o..3\|w...G.4..&@8_..kp..i\|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...\|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

C:\Users\user\AppData\Local\Temp\autEE7E.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	162582
Entropy (8bit):	7.948504820557971
Encrypted:	false
SSDEEP:	3072:eZ8+JSEz5CIJgxoFwBXQd8v+k4NYJUG7PT0uqJLYOa+3:O8+JJz5D+oFwBXQxk4Nk30uuLzn3
MD5:	82F015955A379EDC4BD2AEC25CB61599
SHA1:	E89F9065C78D2AF56FBB60E7E64661FA9BB09FD6
SHA-256:	17A5A2A25ED4D5680FECD1D81D693A01AA9688B04B4768B3BEEE2E1306AEF8CA
SHA-512:	6CD119E3CF5942C488B031B8CDC77A72DED612D8D882FCA5473028DFB1E57311819BA89CF7BED402011A740AC2CA6E3BC4A51338CC61AAD94296875D985E9F6C
Malicious:	false
Preview:	EA06.....[:.Z..P..f4N~.cS..j...bmA...5z..mG....J...0..jt....@.q...+t.}^c.."...g;l.L+.+..8.Q...;.N...5V.C.K...9y.^g.i..7;.W.`...B&58mR.M...p.\|...y.R.T.Lh.t.I.t.?.P.......s...l..%F.U..H.z.]..R.Y..Wb.P....j.f.)..j.Z.........ps........j..G.1.R.A~../.3W..@.{8..jp....h59...t.ykS.$@..........u.Ug1....R.W"...CZ..j ......Ej....$..+Uz..........2...".Y......`..\|.\..jS...Y..4....M.W.:?@..[....^....%.R.uO%.cR..6^YW..,..w..rQU..`.J.......)...U....^.q...srl.v.4..9..N.7.Q'..4.-Z....]....Mb....m...;..M.uX..q.......n{...rk..m.r..Bu<.^f.Z4.ay.M&.I]c.2...+.f.7..{z.....l.U..{..[..u;..-.s...u.Z@.Y]..(..e`.,..t. ..v..I.:.h.As.."............R...I.AN."sH..:3...L.EY.=..._......w....M.r.....z..h7..D.r(R......p7...Y..K.......&.z%^.I..!t......M.T:.V}Q..l...;i.l.}.M....>..............H...Cd.,pk=9._..,uu...CUY..6..$.A7.J,R..W6.N't:..;...n.Y]zx....>.\.Rj :..io.U.5..^Mk.L)<.5F.P..`Sj.v[c..#.j.^%(..k3[v..O.Pj.....6...r..^.4...0..B...&..d.....+T....}...p..z..h.I..#S.....oW..q...m

C:\Users\user\AppData\Local\Temp\autEECE.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9824
Entropy (8bit):	7.604515338445106
Encrypted:	false
SSDEEP:	192:G7U22a8T/o87KtDDM+a2MnUjWfDOV/LEcKgtsZAwU+MZTrGgOtR:G7iJ7o8etDDM+adUjMOxDKtRgRalH
MD5:	ABA92F2655AD8F6134356CC63D52C843
SHA1:	233AF7289A89BC37AC1E550C9007ADB7DE13F7FD
SHA-256:	2BE85FBAC899A8E4419F70CAC992FB85EC27BEFC28B9EA6AF0DF2B8B1E55674E
SHA-512:	7ABCDD4AB53A32E9338B08265ECB74DECF175C1FEBE869481E94EE600DD8E4F9A04629F3F6077FC8228ED0EBCCD5A18D5F79111DB3553933FE4BA988D172D29F
Malicious:	false
Preview:	EA06..t..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........\|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.\|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K\|..c.Mm.@..[..._..p......>Kx#G.o..3\|w...G.4..&@8_..kp..i\|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...\|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

C:\Users\user\AppData\Local\Temp\demonetising

Download File

Process:	C:\Users\user\Desktop\jsLnybSs43.exe
File Type:	data
Category:	dropped
Size (bytes):	244736
Entropy (8bit):	6.672773740481238
Encrypted:	false
SSDEEP:	6144:+RiX2NNc+GFs92JHrJvkBY3K7sraeYeciEfvo2:zFFJgrXiCN
MD5:	8273441CE63D9DF3A26622D1F59E409E
SHA1:	4521F4B3ED0D983847055E825D1D1761F1089C05
SHA-256:	8B54AA8D0696AAC71ED4646EB841D10F35136DED58EE8AFF145F277036C6AF01
SHA-512:	9073C9E9D61EC72852A641D099944A98B9E2FE08DF6C7DCC8DA63619F457D33FB078844181E3FD174344C35E0A9B8DC0396216D0653EFBC0CAB55D4C2961D210
Malicious:	false
Preview:	xl.UT9UPQY1D.1S.UPMBX6A.S9WW56GUW9UPUY1D0M1SAUPMBX6AYS9WW56.UW9[O.W1.9...@..l.0_2y#K80GWu4X;>:-.&UmC&/u9#b.y.y>V32.;J_s9UPUY1D`.1S.TSM."^'YS9WW56G.W;T[TR1D.N1SIUPMBX6.P9Ww56G.T9UP.Y1d0M1QAUTMBX6AYS=WW56GUW9uTUY3D0M1SAWP..X6QYS)WW56WUW)UPUY1D M1SAUPMBX6Aa.:W.56GU.:U.PY1D0M1SAUPMBX6AYS9WW16KUW9UPUY1D0M1SAUPMBX6AYS9WW56GUW9UPUY1D0M1SAUPMBX6AYS.WW=6GUW9UPUY1D8m1S.UPMBX6AYS9WyAS?!W9U..Z1D.M1S.VPM@X6AYS9WW56GUW9uPU9.6C?RSAU.HBX6.ZS9QW56.VW9UPUY1D0M1SA.PM.vD$5<ZWW96GUW9QPU[1D0.2SAUPMBX6AYS9W.56.UW9UPUY1D0M1SAUP=.[6AYS9.W56EUR9].WY.r1M2SAUQMB^6AYS9WW56GUW9UPUY1D0M1SAUPMBX6AYS9WW56GUW9UPUY1D-....s.%.K;T.q.R.D....,.~KqX.(U...U....p"3..U.6e..8....&.]U4C......7\D8/. .Z1.D..l..r5...D6.;..)e.XAq.........}\5....,..:<Ty6EF+0yj464+X.2.0SAUP.......>/~ljVX'aB-.....A9....HAYS]WW5DGUWXUPU.1D0"1SA;PMB&6AY-9WWs6GU.9UPbY1D.M1S,UPMfX6A'S9W.H9H...<#..1D0M1f..`./........6.)b7h... ....D..B*.A.....Y..,....;Sz..7L7WDWWIAT.O....v72CPU>QSYd?...r.s.{...(....O.;UW9UPU.1D.M1S..P.BX6.Y.9..56G.9.P.Y..M

C:\Users\user\AppData\Local\Temp\sulfhydric

Download File

Process:	C:\Users\user\Desktop\jsLnybSs43.exe
File Type:	ASCII text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	29698
Entropy (8bit):	3.5395819173395764
Encrypted:	false
SSDEEP:	384:yJejrlr2+6evZAWGPlWrqG1NWKJmJEchgNlLLbrMkW8y6N0i0pTixL9YHhC:se9K7evKWGPlWrkJEchgNVbnWyA9i1+C
MD5:	A49D5E9A9441A807793260C25A2DE35A
SHA1:	597D5025A9283C14A7494C3E737D4EBBE220FAE7
SHA-256:	F0396CF16A4DB4D0753D79E46E88F354EA0806A8FC6669A17A0843FA58913EAB
SHA-512:	30BC0B60D0A24504F942B37983877045BD0182FD4425CD9C5B86BFE8BB78007CC282085FF467BBD76D48A3912B49F55325159BDBA532FAE65A0DAAC6C5895FEB
Malicious:	false
Preview:	0k558orp81rppp0200005657o86o00000066894584o96500000066894q86on7200000066895588o86r0000006689458no96500000066894q8pon6p0000006689558ro83300000066894590o93200000066894q92on2r00000066895594o86400000066894596o96p00000066894q98on6p0000006689559n33p06689459po96r00000066898q44sssssson7400000066899546sssssso86400000066898548sssssso96p00000066898q4nsssssson6p0000006689954psssssso82r0000006689854rsssssso96400000066898q50sssssson6p00000066899552sssssso86p00000066898554ssssss33p966898q56sssssson75000000668955q0o873000000668945q2o96500000066894qq4on72000000668955q6o833000000668945q8o93200000066894qqnon2r000000668955qpo864000000668945qro96p00000066894qr0on6p000000668955r233p0668945r4o96100000066898q68sssssson640000006689956nsssssso8760000006689856psssssso96100000066898q6rsssssson7000000066899570sssssso86900000066898572sssssso93300000066898q74sssssson3200000066899576sssssso82r00000066898578sssssso96400000066898q7nsssssson6p0000006689957psssssso86p0000006689857rssssss33p966894q80on73000000668955n0o868

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\jsLnybSs43.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1190400
Entropy (8bit):	6.967123279535829
Encrypted:	false
SSDEEP:	24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a33Zkydpt3+X7:6TvC/MTQYxsWR7anTptOX
MD5:	1578AA8133E0536D5FA8DE7C24D73387
SHA1:	1E14D2F296DB56EEEDB9034E68931534FC83D2B3
SHA-256:	02C3B5F839835E6735B68FDDA6047A51BA7E15185EE2ECFB9453C851DCEA792B
SHA-512:	7916AF656D1188D5F3B2685D09B434B897B2250F0DEED807B70E78022F18F14015B671A0CF2B1AA8A16AFB4B98ED43FDDF87EB9509AE10BA021F5CC4160DF16A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....xf.........."..........z......w.............@.......................................@...@.......@.....................d...\|....@...........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	270
Entropy (8bit):	3.417626411866224
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclwL1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlwBQ1A1z4mA2n
MD5:	351EC8C2B40C00A311F6BAD2F7D440D6
SHA1:	ADA0755D548E4B6257B50D665E6CEB9ECF221955
SHA-256:	DCC00A312BA3D4049532E70CA0F9E2BE03A22C633F09123DEBDA40F021EE9443
SHA-512:	150DF05A0B2E481848D6CA49CE5E0C38FCD4F76BB814A1838F9B9F5DE7425BD80FD2EF3B2B2A77DDCD47446D65395817E651A4E9D9636F483BB70DD0944B039B
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\newfile\newfile.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 19808bS58f.exe, Detection: malicious, Browse Filename: fiDe44VTwh.exe, Detection: malicious, Browse Filename: TRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse Filename: llD1w4ROY5.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exe, Detection: malicious, Browse Filename: 8f5WsFcnTc.exe, Detection: malicious, Browse Filename: v31TgVEtHi.exe, Detection: malicious, Browse Filename: 54dse57Lv7.exe, Detection: malicious, Browse Filename: 001 Tech. Spec pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.967123279535829
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jsLnybSs43.exe
File size:	1'190'400 bytes
MD5:	1578aa8133e0536d5fa8de7c24d73387
SHA1:	1e14d2f296db56eeedb9034e68931534fc83d2b3
SHA256:	02c3b5f839835e6735b68fdda6047a51ba7e15185ee2ecfb9453c851dcea792b
SHA512:	7916af656d1188d5f3b2685d09b434b897b2250f0deed807b70e78022f18f14015b671a0cf2b1aa8a16afb4b98ed43fddf87eb9509ae10ba021f5cc4160df16a
SSDEEP:	24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8a33Zkydpt3+X7:6TvC/MTQYxsWR7anTptOX
TLSH:	5645AE03738D822EFF5B91721A7AE23146BC6F270123A55F32D85D7EB970165063E6E2
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	6ced8d96b2ace4b2

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6678A713 [Sun Jun 23 22:52:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8FC48EF1C3h
jmp 00007F8FC48EEACFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8FC48EECADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8FC48EEC7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8FC48F186Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8FC48F18B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8FC48F18A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4bf10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x4bf10	0x4c000	b4cc3ef97e4790d1afc2783a08a10730	False	0.7744365491365132	data	7.501608550259967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/m	English	Great Britain	0.07952797823258015
RT_MENU	0xe4ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xe5048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe55dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe5c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe60f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe66f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe6d50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe71b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe7310	0x386b4	data			1.000350509753691
RT_GROUP_ICON	0x11f9c4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11f9d8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11f9ec	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11fa00	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11fa14	0x10c	data	English	Great Britain	0.6007462686567164
RT_MANIFEST	0x11fb20	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 15:45:56.140698910 CEST	49704	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:45:56.147538900 CEST	80	49704	208.95.112.1	192.168.2.8
Jul 3, 2024 15:45:56.147691011 CEST	49704	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:45:56.172568083 CEST	49704	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:45:56.177434921 CEST	80	49704	208.95.112.1	192.168.2.8
Jul 3, 2024 15:45:56.679033995 CEST	80	49704	208.95.112.1	192.168.2.8
Jul 3, 2024 15:45:56.729722977 CEST	49704	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:45:57.654073000 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:57.658951044 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:57.659033060 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:58.776432991 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:58.776767015 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:58.781636953 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.091626883 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.091866970 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:59.096910000 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.412825108 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.421493053 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:59.426311016 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.745249987 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.745290995 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.745302916 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.745336056 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:59.745487928 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.745520115 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:59.842962027 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:45:59.883927107 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:45:59.888940096 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:00.181886911 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:00.200508118 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:00.205535889 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:00.487189054 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:00.488373995 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:00.493356943 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:00.793261051 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:00.793736935 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:00.798676968 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:02.637212992 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:02.637681007 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:02.642539024 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:02.933357954 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:02.942487001 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:02.948067904 CEST	26	49705	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:02.948219061 CEST	49705	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:26.343842030 CEST	49711	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:46:26.349102974 CEST	80	49711	208.95.112.1	192.168.2.8
Jul 3, 2024 15:46:26.349196911 CEST	49711	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:46:26.349422932 CEST	49711	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:46:26.354751110 CEST	80	49711	208.95.112.1	192.168.2.8
Jul 3, 2024 15:46:26.737606049 CEST	49704	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:46:26.870301962 CEST	80	49711	208.95.112.1	192.168.2.8
Jul 3, 2024 15:46:26.917135000 CEST	49711	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:46:27.515225887 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:27.520371914 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:27.521155119 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:28.360761881 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:28.361078978 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:28.366067886 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:28.627897978 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:28.633460045 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:28.638372898 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:28.924863100 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:28.934369087 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:28.939672947 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.257575989 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.257606030 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.257623911 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.257654905 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.257708073 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:29.257766008 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:29.355567932 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.362083912 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:29.367198944 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.688456059 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:29.703963041 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:29.708973885 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:30.056124926 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:30.056715012 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:30.062228918 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:30.417700052 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:30.418126106 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:30.423075914 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:32.806256056 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:32.806575060 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:32.811505079 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:33.158766985 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:33.160437107 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:46:33.160567999 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:33.164535999 CEST	49712	26	192.168.2.8	178.238.222.77
Jul 3, 2024 15:46:33.170078993 CEST	26	49712	178.238.222.77	192.168.2.8
Jul 3, 2024 15:47:17.511287928 CEST	49711	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:47:17.823461056 CEST	49711	80	192.168.2.8	208.95.112.1
Jul 3, 2024 15:47:18.253205061 CEST	80	49711	208.95.112.1	192.168.2.8
Jul 3, 2024 15:47:18.253216028 CEST	80	49711	208.95.112.1	192.168.2.8
Jul 3, 2024 15:47:18.253288031 CEST	49711	80	192.168.2.8	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 15:45:56.126971960 CEST	63344	53	192.168.2.8	1.1.1.1
Jul 3, 2024 15:45:56.134146929 CEST	53	63344	1.1.1.1	192.168.2.8
Jul 3, 2024 15:45:57.586257935 CEST	60212	53	192.168.2.8	1.1.1.1
Jul 3, 2024 15:45:57.652374029 CEST	53	60212	1.1.1.1	192.168.2.8
Jul 3, 2024 15:46:26.327630043 CEST	49240	53	192.168.2.8	1.1.1.1
Jul 3, 2024 15:46:26.336886883 CEST	53	49240	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 15:45:56.126971960 CEST	192.168.2.8	1.1.1.1	0x64f1	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 15:45:57.586257935 CEST	192.168.2.8	1.1.1.1	0xf622	Standard query (0)	mail.jaszredony.hu	A (IP address)	IN (0x0001)	false
Jul 3, 2024 15:46:26.327630043 CEST	192.168.2.8	1.1.1.1	0xcc65	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 15:45:56.134146929 CEST	1.1.1.1	192.168.2.8	0x64f1	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 3, 2024 15:45:57.652374029 CEST	1.1.1.1	192.168.2.8	0xf622	No error (0)	mail.jaszredony.hu	178.238.222.77	A (IP address)	IN (0x0001)	false
Jul 3, 2024 15:46:26.336886883 CEST	1.1.1.1	192.168.2.8	0xcc65	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	208.95.112.1	80	7384	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 15:45:56.172568083 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 3, 2024 15:45:56.679033995 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 13:45:55 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	208.95.112.1	80	8020	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 15:46:26.349422932 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 3, 2024 15:46:26.870301962 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 13:46:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 29 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	09:45:52
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\jsLnybSs43.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jsLnybSs43.exe"
Imagebase:	0xf10000
File size:	1'190'400 bytes
MD5 hash:	1578AA8133E0536D5FA8DE7C24D73387
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:45:53
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jsLnybSs43.exe"
Imagebase:	0xd30000
File size:	1'190'400 bytes
MD5 hash:	1578AA8133E0536D5FA8DE7C24D73387
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1418067285.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:45:54
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jsLnybSs43.exe"
Imagebase:	0xbc0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1719617635.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1717473764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1719617635.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:46:07
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x870000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:46:07
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:46:15
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Imagebase:	0x890000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:46:15
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:46:23
Start date:	03/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff66b810000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:46:23
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xd30000
File size:	1'190'400 bytes
MD5 hash:	1578AA8133E0536D5FA8DE7C24D73387
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000A.00000002.1718208198.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:46:24
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x640000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2651546459.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2651546459.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00F142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F1430D

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

GetCurrentProcess.KERNEL32(?,00FACB64,00000000,?,?), ref: 00F14422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F14429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F14454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F14466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F14474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F1447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F144A0

Strings

|O, xrefs: 00F536F8
GetNativeSystemInfo, xrefs: 00F14460
kernel32.dll, xrefs: 00F1444F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b45b968ed44afe1f05002fefd3b2417dc22b3b71b28490602c96512c7a8dfaf3
Instruction ID: 51194602facef63a8965b1a133724d907a3b7dd2fc2b2ce9e28b598ab67fc5c6
Opcode Fuzzy Hash: b45b968ed44afe1f05002fefd3b2417dc22b3b71b28490602c96512c7a8dfaf3
Instruction Fuzzy Hash: 1DA1A376D0A2CCCFC711CBAF7CC06D97FA47B66751B184899D8819BA22D2305948FB72

Function 00F142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F150AA,?,?,00000000,00000000), ref: 00F142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F150AA,?,?,00000000,00000000), ref: 00F142C9
LoadResource.KERNEL32(?,00000000,?,?,00F150AA,?,?,00000000,00000000,?,?,?,?,?,?,00F14F20), ref: 00F535BE
SizeofResource.KERNEL32(?,00000000,?,?,00F150AA,?,?,00000000,00000000,?,?,?,?,?,?,00F14F20), ref: 00F535D3
LockResource.KERNEL32(00F150AA,?,?,00F150AA,?,?,00000000,00000000,?,?,?,?,?,?,00F14F20,?), ref: 00F535E6

Strings

SCRIPT, xrefs: 00F142BF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fc3e8caa0ba3bb2016c0943d4b805790c6eaf1d4bd68380417fb98b2627d0343
Instruction ID: 55108f33f8696cdf5bef9ccb9002af7ab4335e8ad1987d307619fe4832273368
Opcode Fuzzy Hash: fc3e8caa0ba3bb2016c0943d4b805790c6eaf1d4bd68380417fb98b2627d0343
Instruction Fuzzy Hash: 35118EB1600705BFD7218B65DC48F677BBAEBC6B51F144169F402D6290DB71EC40A670

Function 00F52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F12B6B

Part of subcall function 00F13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FE1418,?,00F12E7F,?,?,?,00000000), ref: 00F13A78

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00FD2224), ref: 00F52C10
ShellExecuteW.SHELL32(00000000,?,?,00FD2224), ref: 00F52C17

Strings

runas, xrefs: 00F52C0B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c1a2e94e33919f10ae60fa0bae80dafd83673f64cfe7c8cb72606a8f637b3d59
Instruction ID: 4526e7ddff3981e8f505b1054f47390f9dac1f28d704779a06767caad0942dff
Opcode Fuzzy Hash: c1a2e94e33919f10ae60fa0bae80dafd83673f64cfe7c8cb72606a8f637b3d59
Instruction Fuzzy Hash: 2911D2316083456AC704FF61DC519EE77A5ABD2320F44042EB182021A3CF388A89B792

Function 00F7DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F55222), ref: 00F7DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00F7DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00F7DBEE
FindClose.KERNEL32(00000000), ref: 00F7DBFA

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 46dae4dfb3a0abb58f37b6decb6ed4772749cd2c7888922c763248c6cba439ed
Instruction ID: 9b6e914df988fdef2eba061db013cfec5015df111293edcfa3db9e1ad4e6b231
Opcode Fuzzy Hash: 46dae4dfb3a0abb58f37b6decb6ed4772749cd2c7888922c763248c6cba439ed
Instruction Fuzzy Hash: 8FF0E5718109185782216B7CEC0D9AA37BC9E02334B908703F83AC20F0EBB05D54E6D6

Function 00F1D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F1D807
timeGetTime.WINMM ref: 00F1DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1DB28
TranslateMessage.USER32(?), ref: 00F1DB7B
DispatchMessageW.USER32(?), ref: 00F1DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1DB9F
Sleep.KERNEL32(0000000A), ref: 00F1DBB1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 00ebb49749a0faf04463f80934f92ba208d6338e61a5da39f8d1964abc6bc5dc
Instruction ID: d85022a5f0556fc360c59c29fa677eb79349a246dd6b6011493b58027e717df8
Opcode Fuzzy Hash: 00ebb49749a0faf04463f80934f92ba208d6338e61a5da39f8d1964abc6bc5dc
Instruction Fuzzy Hash: 2E42F371A08745DFD728CF24C884BAAB7F4BF86324F54461DE4568B291D778E884FB82

Function 00F12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F12D07
RegisterClassExW.USER32(00000030), ref: 00F12D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F12D42
InitCommonControlsEx.COMCTL32(?), ref: 00F12D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F12D6F
LoadIconW.USER32(000000A9), ref: 00F12D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F12D94

Strings

+, xrefs: 00F12CF0
AutoIt v3 GUI, xrefs: 00F12D23
TaskbarCreated, xrefs: 00F12D37
0, xrefs: 00F12CE9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1585319b0ed6bcd605fdfb697eeeb635f7a8fa625b3a50fd664d22ea9878c0f1
Instruction ID: c74e6594abcf0b4346f7fe5cb5e37f6e87bf728f36c7e7559c50c4f7054fc0d6
Opcode Fuzzy Hash: 1585319b0ed6bcd605fdfb697eeeb635f7a8fa625b3a50fd664d22ea9878c0f1
Instruction Fuzzy Hash: BE21C0B591125CAFDB00DFA5E889BEDBBB4FB09700F00811AF511AA2A0D7B55544EFA1

Function 00F5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F5039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F50704,?,?,00000000,?,00F50704,00000000,0000000C), ref: 00F503B7

GetLastError.KERNEL32 ref: 00F5076F
__dosmaperr.LIBCMT ref: 00F50776
GetFileType.KERNELBASE(00000000), ref: 00F50782
GetLastError.KERNEL32 ref: 00F5078C
__dosmaperr.LIBCMT ref: 00F50795
CloseHandle.KERNEL32(00000000), ref: 00F507B5
CloseHandle.KERNEL32(?), ref: 00F508FF
GetLastError.KERNEL32 ref: 00F50931
__dosmaperr.LIBCMT ref: 00F50938

Strings

H, xrefs: 00F508BD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d511e2fe65402bc191fc0b4d97c93ca4a4cfdf16ee2dda939366c50059d87c02
Instruction ID: dba7ddd01e981a15924fcf054e8a03e996bff51637816122926a387ffe51bcfc
Opcode Fuzzy Hash: d511e2fe65402bc191fc0b4d97c93ca4a4cfdf16ee2dda939366c50059d87c02
Instruction Fuzzy Hash: 65A11532E001488FDF19AF68DC91BAE3BA0EB46321F140159FD159F392DF35991AEB91

Function 00F1344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FE1418,?,00F12E7F,?,?,?,00000000), ref: 00F13A78

Part of subcall function 00F13357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F13379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F1356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F5318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F531CE
RegCloseKey.ADVAPI32(?), ref: 00F53210
_wcslen.LIBCMT ref: 00F53277
_wcslen.LIBCMT ref: 00F53286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00F13560
Include, xrefs: 00F53184, 00F531C5
\Include\, xrefs: 00F13527
\, xrefs: 00F5328C

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c8d963cf6cd2d4398b4a0b32bd7e882f03767ba793e8f77ad98ab1001fd5a526
Instruction ID: b83c8b2c42a7ba7f3ef5034bc958b3db98dcfce79656ddea4240d5e6487666ff
Opcode Fuzzy Hash: c8d963cf6cd2d4398b4a0b32bd7e882f03767ba793e8f77ad98ab1001fd5a526
Instruction Fuzzy Hash: CA71A1B14043499EC314DF69DC829ABBBECFF85750F40042EF54597161EB789A88EFA2

Function 00F12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F12B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F12B9D
LoadIconW.USER32(00000063), ref: 00F12BB3
LoadIconW.USER32(000000A4), ref: 00F12BC5
LoadIconW.USER32(000000A2), ref: 00F12BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F12BEF
RegisterClassExW.USER32(?), ref: 00F12C40

Part of subcall function 00F12CD4: GetSysColorBrush.USER32(0000000F), ref: 00F12D07
Part of subcall function 00F12CD4: RegisterClassExW.USER32(00000030), ref: 00F12D31
Part of subcall function 00F12CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F12D42
Part of subcall function 00F12CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F12D5F
Part of subcall function 00F12CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F12D6F
Part of subcall function 00F12CD4: LoadIconW.USER32(000000A9), ref: 00F12D85
Part of subcall function 00F12CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F12D94

Strings

AutoIt v3, xrefs: 00F12C2F
0, xrefs: 00F12C0F
#, xrefs: 00F12C16

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 6a9b33e408fed3043f8bcdeb19de5974f8e908b5af22a2c5dba4f55c41fc50c9
Instruction ID: 2af520d5c4423c9b0c3a1c5b64128af7c1ebdb4f27316455ade0a86dd0dc5d11
Opcode Fuzzy Hash: 6a9b33e408fed3043f8bcdeb19de5974f8e908b5af22a2c5dba4f55c41fc50c9
Instruction Fuzzy Hash: E7212CB4E0035CAFDB109FA6EC95AAE7FB4FB48B50F04001AF600AA7A0D7B11540EF90

Function 00F13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F1316A,?,?), ref: 00F131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F1316A,?,?), ref: 00F13204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F13227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F1316A,?,?), ref: 00F13232
CreatePopupMenu.USER32 ref: 00F13246
PostQuitMessage.USER32(00000000), ref: 00F13267

Strings

TaskbarCreated, xrefs: 00F1322D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c377890cba860f52b496fb33b514aed2264f9f9357e51ad6459d3805b4b8781c
Instruction ID: 636be5515488bb3a1f2ae2571f31342d39366c4dedb21e6f06b70397c5ad683d
Opcode Fuzzy Hash: c377890cba860f52b496fb33b514aed2264f9f9357e51ad6459d3805b4b8781c
Instruction Fuzzy Hash: AD414C32B40288BBDB156B79DD4DBFD3659FB06360F040125F902DA1A2DB758EC0B7A1

Function 00F48D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a709d2a81250b8482f7e75ecb17a8b56ade382bfc4717c926b993515df1ddc6
Instruction ID: 68ab80fb54706df529f5bc898f1d4be8da2660a6b9ccbd43d57c91af9daf38ca
Opcode Fuzzy Hash: 9a709d2a81250b8482f7e75ecb17a8b56ade382bfc4717c926b993515df1ddc6
Instruction Fuzzy Hash: B0C1B375E082499FDB11DFACDC41BAEBFB0AF49320F044155F914A7292CBB49942EB61

Function 026D0920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 026D0965

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 8fef669f7e4a2bd6b55951b33ef9b6d79654704f803363b3bdc0b4a9ac00a843
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: B251E675A50209FBEF24DFA4CC49FDE7778AF48700F108554FA0AEA280DA749645CB60

Function 00F12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F12C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F12CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F11CAD,?), ref: 00F12CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F11CAD,?), ref: 00F12CCF

Strings

AutoIt v3, xrefs: 00F12C89, 00F12C8E, 00F12C8F
edit, xrefs: 00F12CAC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1d77efcbe94a056e81a2eb8148c298537651410a56b0c4d79a0b14c31b05ad75
Instruction ID: adc431002a4ec24a83f9557b21874629043ef246781918de4c79d106525406c4
Opcode Fuzzy Hash: 1d77efcbe94a056e81a2eb8148c298537651410a56b0c4d79a0b14c31b05ad75
Instruction Fuzzy Hash: 84F0DAB55402D87EEB311717AC88E773EBDE7CBF50B00005AF900AB5A0C6721851FAB1

Function 00F82947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F82C05
DeleteFileW.KERNEL32(?), ref: 00F82C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F82C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F82CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F82CC0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 40765e59520e39659cb6d84685f9f42eecf38ad0b3462de543a17254a2acf42c
Instruction ID: e90103c412925bfef744f6c4de3341d119cb5d3aae3714f678c99f051e73fda1
Opcode Fuzzy Hash: 40765e59520e39659cb6d84685f9f42eecf38ad0b3462de543a17254a2acf42c
Instruction Fuzzy Hash: 09B18072D01119ABDF55EFA4CC85EEEB7BDEF49310F0040A6F509E6141EB34AA449F61

Function 026D23B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 169
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 026D22A0: Sleep.KERNELBASE(000001F4), ref: 026D22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 026D2520

Strings

56GUW9UPUY1D0M1SAUPMBX6AYS9WW, xrefs: 026D25A6, 026D25A9

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: CreateFileSleep
String ID: 56GUW9UPUY1D0M1SAUPMBX6AYS9WW
API String ID: 2694422964-2187848322
Opcode ID: eef882422b25d7bb55c52560a22e8d880a6385d56e686e0a666a3a174adcb440
Instruction ID: b8717235b66329a9ed00617773b81c341edc20181afc823ea3e0a4be75b2bef9
Opcode Fuzzy Hash: eef882422b25d7bb55c52560a22e8d880a6385d56e686e0a666a3a174adcb440
Instruction Fuzzy Hash: D4717030D0428CDAEF15DBE4D854BEFBB75AF19304F004199E618BB2C1D7BA0A45CBA6

Function 00F13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F13B0F,SwapMouseButtons,00000004,?), ref: 00F13B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F13B0F,SwapMouseButtons,00000004,?), ref: 00F13B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F13B0F,SwapMouseButtons,00000004,?), ref: 00F13B83

Strings

Control Panel\Mouse, xrefs: 00F13B3E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: addff0664ff5f7f9c664d7a05a5ee50760040429bcc2121877202f7c92b3a0aa
Instruction ID: a68cfb62dc82f1ff4fc304210acb5ab8610a449c6db158da9e270f656d95a44b
Opcode Fuzzy Hash: addff0664ff5f7f9c664d7a05a5ee50760040429bcc2121877202f7c92b3a0aa
Instruction Fuzzy Hash: 9F112AB5514208FFDB20CFA5DC44AEFBBB8EF45754B108459A805D7110E2319E80A7A0

Function 00F1DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F632B7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 62fb16dc4fca45f0f37d6b7ebfaa2a64ee267744c51f78822682de1cc3912bc4
Instruction ID: 55f3d0fee54423652e9015185545973c33c0fe06317cc22a6f1c9e16e6fc7ea7
Opcode Fuzzy Hash: 62fb16dc4fca45f0f37d6b7ebfaa2a64ee267744c51f78822682de1cc3912bc4
Instruction Fuzzy Hash: CCC27975E00215CFCB24CF58C880BADB7B1BF18320F248569ED56AB291D775ED82EB91

Function 00F13923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F533A2

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F13A04

Strings

Line: , xrefs: 00F533EB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 0f31f61eb8a986e3fee79ba4e882f6c57251d2281634508b3c2b3085fa3d731d
Instruction ID: 9ea926ef1b92a2300f8ef346a3261b59f3ede2e8e63ed87f05a20c103ee1b14c
Opcode Fuzzy Hash: 0f31f61eb8a986e3fee79ba4e882f6c57251d2281634508b3c2b3085fa3d731d
Instruction Fuzzy Hash: EF31C671408344AED725EB20DC45FEFB7D8AF44720F00452AF59993191DF789689EBC2

Function 00F2FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F30668

Part of subcall function 00F332A4: RaiseException.KERNEL32(?,?,?,00F3068A,?,00FE1444,?,?,?,?,?,?,00F3068A,00F11129,00FD8738,00F11129), ref: 00F33304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F30685

Strings

Unknown exception, xrefs: 00F30692

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1d51f19e7d5be29c02806b05e98be2e3eba29a72943c9b05f509efa67d471e4d
Instruction ID: 027d44a78bd18a5cb00105a13659a00c0094f9480c1e416cab69c947ce48ec2f
Opcode Fuzzy Hash: 1d51f19e7d5be29c02806b05e98be2e3eba29a72943c9b05f509efa67d471e4d
Instruction Fuzzy Hash: 76F0C23490020DB7CB00F6A4EC56D9E777C9E00370FA04532B824D6596EF75EA6AF981

Function 026D1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 026D1045
ExitProcess.KERNEL32(00000000), ref: 026D1064

Strings

D, xrefs: 026D1011

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction ID: 8f5c9cbdeb54567d506dc608c071a9323ea7e179b61bb2bf39a565e499aed398
Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction Fuzzy Hash: F0F0E17594028CABDB60EFE0CC49FEE777CBF04701F508508FB099A140DA7896488B61

Function 00F83017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F8302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F83044

Strings

aut, xrefs: 00F83038

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d283c7a5e5473a4eefaef22b36c8691941134ce43fcff9a44c572d0d8ec7e9de
Instruction ID: 15575f8535f3fb6bf7f1fefc575241d68fe69f1f0d568e20ac70ee5afb05144c
Opcode Fuzzy Hash: d283c7a5e5473a4eefaef22b36c8691941134ce43fcff9a44c572d0d8ec7e9de
Instruction Fuzzy Hash: 32D05EB250032867DA20A7A4AD0EFCB3BACDB05750F0002A2B696E2091DAB4D984CAD0

Function 00F97F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F982F5
TerminateProcess.KERNEL32(00000000), ref: 00F982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00F984DD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 8918cc9825694b18c9c2db19be515f7ac91c6024eaa95aa9df2caaec2a16c2cf
Instruction ID: e3eefad2e4edf5d3ccd0a2defd1e7ea7a34bb2d2a5a6af9fdc055dfec9fb5124
Opcode Fuzzy Hash: 8918cc9825694b18c9c2db19be515f7ac91c6024eaa95aa9df2caaec2a16c2cf
Instruction Fuzzy Hash: E7127C71A083019FDB14DF28C484B6ABBE5FF85364F04895DE8898B252CB35ED46DF92

Function 00F45AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe08c795998b984349d327fece1565a760caf7bf9f40a81c986f3ed097da21a
Instruction ID: d25ddbc08ebe901e6903ab43473b1638f7facef85bbdfc5004306494feaaaf01
Opcode Fuzzy Hash: 1fe08c795998b984349d327fece1565a760caf7bf9f40a81c986f3ed097da21a
Instruction Fuzzy Hash: 0951BF72D006099FCB11AFB4CC85FAE7FB8EF45B20F140059F905AB292D6799941AB61

Function 00F110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F11BF4
Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F11BFC
Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F11C07
Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F11C12
Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F11C1A
Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F11C22

Part of subcall function 00F11B4A: RegisterWindowMessageW.USER32(00000004,?,00F112C4), ref: 00F11BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F1136A
OleInitialize.OLE32 ref: 00F11388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F524AB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d457c21cee50b8a44737cee8bd217f3063f94c6f6e912b5994b1a1adb5982943
Instruction ID: e6568cf6cbb5c4c51e84106542e43b694424b6494599af787a4f5eac891db5d7
Opcode Fuzzy Hash: d457c21cee50b8a44737cee8bd217f3063f94c6f6e912b5994b1a1adb5982943
Instruction Fuzzy Hash: BC7191B59013C88FC784DF7BAD856993AE1FB89344798422AD10ACF362EB344585FF51

Function 00F154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00F1556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00F1557D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4bfff3d297db50abb0eac92e82aa3dbbd968147d9d1a4229237442280183dcd
Instruction ID: a793d839f1defccf8e99cd82bf3b2262dff0302f66720fae31fca2421ae25c5d
Opcode Fuzzy Hash: a4bfff3d297db50abb0eac92e82aa3dbbd968147d9d1a4229237442280183dcd
Instruction Fuzzy Hash: 10314F71A00609EFDB14CF2CC880BD9B7B6FB44754F188629E91597240D775FD94EB90

Function 00F486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F485CC,?,00FD8CC8,0000000C), ref: 00F48704
GetLastError.KERNEL32(?,00F485CC,?,00FD8CC8,0000000C), ref: 00F4870E
__dosmaperr.LIBCMT ref: 00F48739

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 917d4ebf4581bf70158a0113f45076b9ac435105ba5324115e0ee361471ff4bc
Instruction ID: 43dc4dc8034392dffefcd9f4d8ec7f7eeb0dd22775cfd2e556e799ac3553032e
Opcode Fuzzy Hash: 917d4ebf4581bf70158a0113f45076b9ac435105ba5324115e0ee361471ff4bc
Instruction Fuzzy Hash: B1010833E0566427D6A57634AC85B7E7F4A4B82BB4F2A0119EC188B1D3DEA48C83B190

Function 00F82FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00F82CD4,?,?,?,00000004,00000001), ref: 00F82FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F82CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F83006
CloseHandle.KERNEL32(00000000,?,00F82CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F8300D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8881d22bac71226a650cd0c8a0d6228118324367b55b6127c3acd2d8225c71dd
Instruction ID: f92a77ca7ba9c9939dd39226b0383ce7bb2493fcd3a76e6237ae5276dae7feaf
Opcode Fuzzy Hash: 8881d22bac71226a650cd0c8a0d6228118324367b55b6127c3acd2d8225c71dd
Instruction Fuzzy Hash: 04E0867278031477E6312755BC0DFCB3A1CD787F75F104210F759750D08AA0550163E8

Function 00F21310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F217F6

Strings

CALL, xrefs: 00F217C6

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1312573ff99323080f48b224d39d20a18e259e4bfa8937e1cb11c77aec85bb02
Instruction ID: 5dd6214eaf8403dbe0fe980ee1c3ceb2769583972ae746bd35bc06f3824f5b7f
Opcode Fuzzy Hash: 1312573ff99323080f48b224d39d20a18e259e4bfa8937e1cb11c77aec85bb02
Instruction Fuzzy Hash: 6422BB70A083119FC714DF14D891B2ABBF1BF95314F28896DF48A8B3A1D735E845EB86

Function 00F86EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F86F6B

Part of subcall function 00F14ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F86F5A, 00F86F63

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 5f8db7cd780c1fb8ddf91ac1ca2fcd5f8718c444f6e07525a25976329089cde8
Instruction ID: fc29e230559bcf945ba1a6e32a2805f361e84cd73156797a33a1da7b86aa8667
Opcode Fuzzy Hash: 5f8db7cd780c1fb8ddf91ac1ca2fcd5f8718c444f6e07525a25976329089cde8
Instruction Fuzzy Hash: DAB193315083018FCB14FF24C8919EEB7E5AF94310F54895DF49A97262EB34ED89EB92

Function 00F12DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F52C8C

Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2

Part of subcall function 00F12DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F12DC4

Strings

X, xrefs: 00F52C5A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: f60d69b3b0bd957922de1f5b72a9bed2b903e181c91d5fad382068f5481308bb
Instruction ID: 9c9054675554ff0a3bb947527de47a535f5a08baf398273c418505fe03dcf840
Opcode Fuzzy Hash: f60d69b3b0bd957922de1f5b72a9bed2b903e181c91d5fad382068f5481308bb
Instruction Fuzzy Hash: 4E210571A002589FCB41DF94CC45BEE7BF8AF49310F00801AE405E7341DBB85A89AFA1

Function 00F82557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F82587

Strings

EA06, xrefs: 00F825B9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 3c4b7cda250f6100ad19a7d76d7623ebfdc70bc9b0e46d760ff886b8a81dd283
Instruction ID: 16552654da9539e0eca6e244329702b95fb658a9b823d2610abd3437f7776288
Opcode Fuzzy Hash: 3c4b7cda250f6100ad19a7d76d7623ebfdc70bc9b0e46d760ff886b8a81dd283
Instruction Fuzzy Hash: 9401F172D442187EDF28D7A8CC26FEEBBF89F05311F04459AE192D61C1E4B8E6089B60

Function 00F13837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F13908

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2023d7364f33daa5c51a260a9dca6fb24bab5e44985b2d9cc725ab84c6de402c
Instruction ID: 30db3f92a5de18314aefe82e30b5aa73186039098bc412e6e35c70d63497264c
Opcode Fuzzy Hash: 2023d7364f33daa5c51a260a9dca6fb24bab5e44985b2d9cc725ab84c6de402c
Instruction Fuzzy Hash: BE31B4B1904305DFD721DF25D8847D7BBE8FB49728F00092EF99997240E771AA84EB92

Function 00F15745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F1949C,?,00008000), ref: 00F15773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F1949C,?,00008000), ref: 00F54052

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b3d6b00df7d3488ab309c718f2f522311976f52250403a97101268863c59f59
Instruction ID: ed478240d59db05448fe69c3e03fca08ce211f02705d14cee55e8693798cec44
Opcode Fuzzy Hash: 6b3d6b00df7d3488ab309c718f2f522311976f52250403a97101268863c59f59
Instruction Fuzzy Hash: 34018431645225F6E3314A25CC0EF977F54DF42B74F108200BF5C5A1E0CBB45494DB90

Function 026D1070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 026D08E0: GetFileAttributesW.KERNELBASE(?), ref: 026D08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 026D119F

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: b4ba530996497a6c7d0c061a1c2ee6b0bedf593829268a90c745324dde3fc01c
Instruction ID: c864a37e8d68f5cb71d8cbed157b334b4f64b53b049a288200e63a32d6f97e48
Opcode Fuzzy Hash: b4ba530996497a6c7d0c061a1c2ee6b0bedf593829268a90c745324dde3fc01c
Instruction Fuzzy Hash: 0B516531E1120D97DF14EFA0C954BEF737AEF58700F0045A9A509E7280EB79AB49CBA5

Function 00F14ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F14E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E9C
Part of subcall function 00F14E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F14EAE
Part of subcall function 00F14E90: FreeLibrary.KERNEL32(00000000,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EFD

Part of subcall function 00F14E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E62
Part of subcall function 00F14E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F14E74
Part of subcall function 00F14E59: FreeLibrary.KERNEL32(00000000,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E87

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8fb85765d4a6532ec05794f7f25c459f3b05e7ad5e593d97680e0eccc82603f2
Instruction ID: 7c4fd768e06003a03fd7215689cc6f328e47163474c8d98fdcc7221eb9522e26
Opcode Fuzzy Hash: 8fb85765d4a6532ec05794f7f25c459f3b05e7ad5e593d97680e0eccc82603f2
Instruction Fuzzy Hash: B411C432600205AACB14AB64DC16BED77A59F80B11F104429F552AB2C1DE79AA85BB90

Function 00F48402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F48440

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c547e861a7ea58f3fb63933a3f90be7dc28211399209b0bbbffebc3d7202c777
Instruction ID: b1348e60669165dffedd977325e802420dee80743b45e1e77e8aba4e12f070bb
Opcode Fuzzy Hash: c547e861a7ea58f3fb63933a3f90be7dc28211399209b0bbbffebc3d7202c777
Instruction Fuzzy Hash: B811487590410AAFCB05DF58E9409DE7BF4EF48350F104059FC08AB312DA31DA12DBA4

Function 00F19A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00F1543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00F19A9C

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 540bdb0ea90ddb43d21f7aed26dc0c01ee3965deb4012be8f1b055056788e833
Instruction ID: a4ca4c782ac1ddd603a822c9cbdddbb808e67e338aaf2debccbe832912f5d837
Opcode Fuzzy Hash: 540bdb0ea90ddb43d21f7aed26dc0c01ee3965deb4012be8f1b055056788e833
Instruction Fuzzy Hash: F9118C316087049FD724CF06C890BA2B7F8EF44760F10C42DE5AB87650C7B5B889EBA0

Function 00F3E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 24f438c6a63d8f5c54042046d145140a00ba9f03643c7180cc27d8267d420e4a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C5F02832921A1497D7313A6ADC06B9B3B989F52375F100729FC20931D2CB7CE802BAA5

Function 00F43820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a98cc05d9228173c3196294e2abbb4fdff801c18011f8d3dc34de275684509e2
Instruction ID: e8eb92896be6bef51758e1257afff02084b09f677db6c11d3bb1b7ad957b3ca4
Opcode Fuzzy Hash: a98cc05d9228173c3196294e2abbb4fdff801c18011f8d3dc34de275684509e2
Instruction Fuzzy Hash: 21E02B3390022496E73127779C00B9BBF49AF427B0F090020BC1496581DB21ED01B5F0

Function 00F14F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14F6D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9e36a1fad6c986bfaaa93bb94647d7f66a264d5cec28e514ba776e39e8d4da26
Instruction ID: 13182f07b8602efc9692877a736f6d7d68c45fe31b37229d12ec0676fe61c02a
Opcode Fuzzy Hash: 9e36a1fad6c986bfaaa93bb94647d7f66a264d5cec28e514ba776e39e8d4da26
Instruction Fuzzy Hash: 8EF0A971505302CFCB348F20D8A08A2BBE4EF50329320897EE1EA87620C731A889EF00

Function 00F12DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F12DC4

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5fb011c537c05601279d91ccdec769288b55cd5a92672991047a904489c11ad5
Instruction ID: cffb4ed40f32eab118de55ed1662f3ecb57b61821ce1c9b91e484dfc01664543
Opcode Fuzzy Hash: 5fb011c537c05601279d91ccdec769288b55cd5a92672991047a904489c11ad5
Instruction Fuzzy Hash: E7E0CD726041245BC710D2589C05FEA77DDDFC8790F050071FD09D7248D964AD849590

Function 00F82693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F826B5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 1c970a00421ba8f814790fb439dd87d9d978c77a322e071c315862b19b83df75
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: B0E04FB0A09B009FDF396A28A8517F6B7E89F49310F00086EF69B82252E57278459B4D

Function 00F12B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F13837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F13908

Part of subcall function 00F1D730: GetInputState.USER32 ref: 00F1D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F12B6B

Part of subcall function 00F130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F1314E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 76f07d284f7f420325eed1711a07b60e8a2dc15afbc78df5f672ca02876c4154
Instruction ID: 2d276100dc56e54b0336c4a1277ebf7dfadf9d06d7458ef63c03e0ea215a5add
Opcode Fuzzy Hash: 76f07d284f7f420325eed1711a07b60e8a2dc15afbc78df5f672ca02876c4154
Instruction Fuzzy Hash: 2DE0863270824807CA08FB76AC525EDB7999BD6365F40153EF142472A3CE7889C56392

Function 026D08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 026D08EB

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 172d62ae220a7bc0db11c60fe802d051e173ea500f6dae196c84015acd13d552
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 8FE0C271E0920CEBEB24CBB9CC08AED77A8DB04320F004754E91ACB2C0D6308A42D754

Function 00F5039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F50704,?,?,00000000,?,00F50704,00000000,0000000C), ref: 00F503B7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f028c707127e42d129ba3a64f74663ee526435c6bd86a1f45e53123dc71f136
Instruction ID: cc65f9007837b5d5c8d9937631f60d0e0cfda1da97003ba0cc58a6e7fce7fd34
Opcode Fuzzy Hash: 2f028c707127e42d129ba3a64f74663ee526435c6bd86a1f45e53123dc71f136
Instruction Fuzzy Hash: E0D06C3214010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 026D08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 026D08BB

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 55ebd899e6d2df32b96be5258bd20a1934a4ef1fe4102eac869908926f763546
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 94D0A930D4620CEBCF20CFB89C08ADE73A8EB08320F008765FD15D3280D6329A509BA4

Function 00F11CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F11CBC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: bcd6056206b98916a7fbed5586f35c4b4bd606381c30128d4e7e52239124ea99
Instruction ID: f2ee9df6c36abc5b878e8626d54179be5231e6b1fe2449ae0ede40d77ff97410
Opcode Fuzzy Hash: bcd6056206b98916a7fbed5586f35c4b4bd606381c30128d4e7e52239124ea99
Instruction Fuzzy Hash: DDC09B3528034C9FF2144780BD8AF107754B348B00F484001F6095D5F3D7B11810F690

Function 00F8744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00F15745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F1949C,?,00008000), ref: 00F15773

GetLastError.KERNEL32(00000002,00000000), ref: 00F876DE

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 47ae9fafc70505e3b97aa56a721e758b498faee9aff89304464964f063b7a50a
Instruction ID: 07a1c947f93e6cfd2705d5d25d5f31d82829f5f4e6d6931c15c1139f7ac60596
Opcode Fuzzy Hash: 47ae9fafc70505e3b97aa56a721e758b498faee9aff89304464964f063b7a50a
Instruction Fuzzy Hash: AE81A1306087019FCB14FF28C891BA9B7E1AF88310F18451DF8995B392DB34ED85EB92

Function 00F2FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00F2FD1F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 8a5420aadb0c102411aef3bcb7238b45e79898679a6826f0640279edc3409f08
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FE311375A101199BC718CF59E090A69F7B1FB49310BA482B5E809CB612D731EEC4EBC0

Function 026D229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 026D22B1

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: c5d1bc0e54186560710e26e581381fabd60ab8e42b314d3fb0710dd843891081
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 8EE0BF7494010EEFDB00EFA4D5496DE7BB4EF04711F1005A1FD05D7681DB309E549A72

Function 026D22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 026D22B1

Memory Dump Source

Source File: 00000000.00000002.1403156821.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26d0000_jsLnybSs43.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 8103d7382d23d65b92b948a2fa9fd9978c8520b2b52781bf3dd03f0f9626d2b6
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 7CE0BF7494010E9FDB00EFA4D54969E7BB4EF04701F100161FD0192281D63099509A72

Non-executed Functions

Function 00FA9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FA961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FA965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FA969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA96C9
SendMessageW.USER32 ref: 00FA96F2
GetKeyState.USER32(00000011), ref: 00FA978B
GetKeyState.USER32(00000009), ref: 00FA9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FA97AE
GetKeyState.USER32(00000010), ref: 00FA97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA97E9
SendMessageW.USER32 ref: 00FA9810
SendMessageW.USER32(?,00001030,?,00FA7E95), ref: 00FA9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FA992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FA9941
SetCapture.USER32(?), ref: 00FA994A
ClientToScreen.USER32(?,?), ref: 00FA99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FA99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FA99D6
ReleaseCapture.USER32 ref: 00FA99E1
GetCursorPos.USER32(?), ref: 00FA9A19
ScreenToClient.USER32(?,?), ref: 00FA9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FA9A80
SendMessageW.USER32 ref: 00FA9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FA9AEB
SendMessageW.USER32 ref: 00FA9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FA9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FA9B4A
GetCursorPos.USER32(?), ref: 00FA9B68
ScreenToClient.USER32(?,?), ref: 00FA9B75
GetParent.USER32(?), ref: 00FA9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FA9BFA
SendMessageW.USER32 ref: 00FA9C2B
ClientToScreen.USER32(?,?), ref: 00FA9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FA9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FA9CDE
SendMessageW.USER32 ref: 00FA9D01
ClientToScreen.USER32(?,?), ref: 00FA9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FA9D82

Part of subcall function 00F29944: GetWindowLongW.USER32(?,000000EB), ref: 00F29952

GetWindowLongW.USER32(?,000000F0), ref: 00FA9E05

Strings

@GUI_DRAGID, xrefs: 00FA997D
F, xrefs: 00FA9D07

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 90017b6fe494dcca262fc92abfdceb1246e22bdeaf16a62bb45b75a41104dce4
Instruction ID: 728eb95646aea594809633cc1beb90c9910b4bffcde379f9155ba346778ea291
Opcode Fuzzy Hash: 90017b6fe494dcca262fc92abfdceb1246e22bdeaf16a62bb45b75a41104dce4
Instruction Fuzzy Hash: 774281B5608245AFD724CF24CC84EAABBE5FF4A320F140629F559873A1D7B1D850EF91

Function 00FA4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FA48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FA4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FA4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FA494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FA495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FA497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FA49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FA49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FA4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FA4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FA4A7E
IsMenu.USER32(?), ref: 00FA4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA4B20
GetWindowLongW.USER32(?,000000F0), ref: 00FA4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FA4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FA4C82
wsprintfW.USER32 ref: 00FA4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FA4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FA4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FA4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FA4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FA4D5A

Strings

%d/%02d/%02d, xrefs: 00FA4CA8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 1692a26bf8c61c2fdbb8b442c41bd90a2e3aa8d75ec6735295781e0c910d36a5
Instruction ID: 9d9ceae37b031dd4e3e69396b36afcaff8907f052c650001a0d8903c18d155dd
Opcode Fuzzy Hash: 1692a26bf8c61c2fdbb8b442c41bd90a2e3aa8d75ec6735295781e0c910d36a5
Instruction Fuzzy Hash: BC1218B5900218AFEB258F24DC45FAE7BF8EF86710F144129F519DB2D1DBB4A940EB90

Function 00F2F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F2F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F6F474
IsIconic.USER32(00000000), ref: 00F6F47D
ShowWindow.USER32(00000000,00000009), ref: 00F6F48A
SetForegroundWindow.USER32(00000000), ref: 00F6F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F6F4AA
GetCurrentThreadId.KERNEL32 ref: 00F6F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F6F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F6F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F6F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F6F4DE
SetForegroundWindow.USER32(00000000), ref: 00F6F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F4F6
keybd_event.USER32(00000012,00000000), ref: 00F6F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F50B
keybd_event.USER32(00000012,00000000), ref: 00F6F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F519
keybd_event.USER32(00000012,00000000), ref: 00F6F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F528
keybd_event.USER32(00000012,00000000), ref: 00F6F52D
SetForegroundWindow.USER32(00000000), ref: 00F6F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F6F557

Strings

Shell_TrayWnd, xrefs: 00F6F46F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ec4a01e8dffcbee3d6185506bf3e8b03efd4958f747f80b6fe0cf22cf33fa310
Instruction ID: d99df8363ab17de285da8ccffb4ab3be5ec426d33cd73ffe3c78a91abbcf5def
Opcode Fuzzy Hash: ec4a01e8dffcbee3d6185506bf3e8b03efd4958f747f80b6fe0cf22cf33fa310
Instruction Fuzzy Hash: 25311EB1E4021CBEEB216BB59C4AFBF7E6CEB45B50F140065FA05E61D1CAB15D00BAA1

Function 00F71201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7170D
Part of subcall function 00F716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F7173A
Part of subcall function 00F716C3: GetLastError.KERNEL32 ref: 00F7174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F71286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F712A8
CloseHandle.KERNEL32(?), ref: 00F712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F712D1
GetProcessWindowStation.USER32 ref: 00F712EA
SetProcessWindowStation.USER32(00000000), ref: 00F712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F71310

Part of subcall function 00F710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F711FC), ref: 00F710D4
Part of subcall function 00F710BF: CloseHandle.KERNEL32(?,?,00F711FC), ref: 00F710E9

Strings

default, xrefs: 00F7130B
, xrefs: 00F7125A
winsta0, xrefs: 00F712CC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1b5b407a596edd044ef4e3027758ac2e624aafe6c329dbc950089383094eaab9
Instruction ID: 07a09b7c65a491e0f38da1691db03434d28a384dc50afdb6c3ea0a9fffd4bcc7
Opcode Fuzzy Hash: 1b5b407a596edd044ef4e3027758ac2e624aafe6c329dbc950089383094eaab9
Instruction Fuzzy Hash: 218191B1900208AFDF21DFA8DC49FEE7BB9FF05710F14811AF918A6150D7349958EB62

Function 00F70B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71114
Part of subcall function 00F710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71120
Part of subcall function 00F710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F7112F
Part of subcall function 00F710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71136
Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F70BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F70C00
GetLengthSid.ADVAPI32(?), ref: 00F70C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F70C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F70C6D
GetLengthSid.ADVAPI32(?), ref: 00F70C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F70C8C
HeapAlloc.KERNEL32(00000000), ref: 00F70C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F70CB4
CopySid.ADVAPI32(00000000), ref: 00F70CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F70CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F70D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F70D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70D45
HeapFree.KERNEL32(00000000), ref: 00F70D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70D55
HeapFree.KERNEL32(00000000), ref: 00F70D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70D65
HeapFree.KERNEL32(00000000), ref: 00F70D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F70D78
HeapFree.KERNEL32(00000000), ref: 00F70D7F

Part of subcall function 00F71193: GetProcessHeap.KERNEL32(00000008,00F70BB1,?,00000000,?,00F70BB1,?), ref: 00F711A1
Part of subcall function 00F71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F70BB1,?), ref: 00F711A8
Part of subcall function 00F71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F70BB1,?), ref: 00F711B7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 40eb7cef07638a9b3def7fc56dd54b7cdd7e17914a06f3a38ed74fa8c003e417
Instruction ID: 130ccdb0e2a52c69de79f305828456633327640232cb3df39ee19c46204f1b18
Opcode Fuzzy Hash: 40eb7cef07638a9b3def7fc56dd54b7cdd7e17914a06f3a38ed74fa8c003e417
Instruction Fuzzy Hash: 06715DB1D0020AEBDF10DFA5DC44FAEBBB8BF05310F048516F919E6291DB75A905EBA1

Function 00F8EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FACC08), ref: 00F8EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F8EB37
GetClipboardData.USER32(0000000D), ref: 00F8EB43
CloseClipboard.USER32 ref: 00F8EB4F
GlobalLock.KERNEL32(00000000), ref: 00F8EB87
CloseClipboard.USER32 ref: 00F8EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00F8EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00F8EBC9
GetClipboardData.USER32(00000001), ref: 00F8EBD1
GlobalLock.KERNEL32(00000000), ref: 00F8EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00F8EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00F8EC38
GetClipboardData.USER32(0000000F), ref: 00F8EC44
GlobalLock.KERNEL32(00000000), ref: 00F8EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F8EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F8EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F8ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00F8ECF3
CountClipboardFormats.USER32 ref: 00F8ED14
CloseClipboard.USER32 ref: 00F8ED59

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6f53a7b8cd238fbbf62951eda067b05a7b165b82eed5b076f59a486c45f9c835
Instruction ID: 52889095c4e241d65106e6b3c1d5d70a5e1722d531f2b2fb6fa9d196f74cf8a0
Opcode Fuzzy Hash: 6f53a7b8cd238fbbf62951eda067b05a7b165b82eed5b076f59a486c45f9c835
Instruction Fuzzy Hash: 8861E2752043059FD300EF20CC94FAAB7E4AF85724F14451DF856972A2DB31ED49EBA2

Function 00F8698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F869BE
FindClose.KERNEL32(00000000), ref: 00F86A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F86A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F86A75

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00F86AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F86ADF

Strings

%03d, xrefs: 00F86DA2
%4d, xrefs: 00F86BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00F86B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00F86B32
%02d, xrefs: 00F86C00, 00F86C0A, 00F86C5A, 00F86CAA, 00F86CFA, 00F86D4A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 728c012a11edb25cedb1f103edbfb6734f7e1dffd425c120fc5213b759b5a53e
Instruction ID: a3c528f4309eb931faf97f56d960552d1edd3819ee3f5fd56c519c0752b9aa79
Opcode Fuzzy Hash: 728c012a11edb25cedb1f103edbfb6734f7e1dffd425c120fc5213b759b5a53e
Instruction Fuzzy Hash: 24D14072508300AEC714EBA4DC91EEBB7ECAF88704F44491DF585D7191EB78DA48DBA2

Function 00F89642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00F89663
GetFileAttributesW.KERNEL32(?), ref: 00F896A1
SetFileAttributesW.KERNEL32(?,?), ref: 00F896BB
FindNextFileW.KERNEL32(00000000,?), ref: 00F896D3
FindClose.KERNEL32(00000000), ref: 00F896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00F896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8974A
SetCurrentDirectoryW.KERNEL32(00FD6B7C), ref: 00F89768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F89772
FindClose.KERNEL32(00000000), ref: 00F8977F
FindClose.KERNEL32(00000000), ref: 00F8978F

Strings

*.*, xrefs: 00F896F5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: abe225f7383ba20f00f7384ea6b6f4bcdf711830e46962cc63d157ad854204f6
Instruction ID: 30982d149637369aecd6eb03cf89c65885842e9e1f44a758bfef093a3e5d6029
Opcode Fuzzy Hash: abe225f7383ba20f00f7384ea6b6f4bcdf711830e46962cc63d157ad854204f6
Instruction Fuzzy Hash: 8831C3729042196ADF10AFB4DC08AEE77AC9F4A330F184156F815E21A0EB74DE40AB64

Function 00F8979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00F897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00F89819
FindClose.KERNEL32(00000000), ref: 00F89824
FindFirstFileW.KERNEL32(*.*,?), ref: 00F89840
SetCurrentDirectoryW.KERNEL32(?), ref: 00F89890
SetCurrentDirectoryW.KERNEL32(00FD6B7C), ref: 00F898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F898B8
FindClose.KERNEL32(00000000), ref: 00F898C5
FindClose.KERNEL32(00000000), ref: 00F898D5

Part of subcall function 00F7DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F7DB00

Strings

*.*, xrefs: 00F8983B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 84478d7b02675e68fd4e56005578043a06125f77c139f72fdd22ea9ec99f051f
Instruction ID: 3546caae4ab36c7322281659a151a232119e9eab4564cf27627227bbc9475322
Opcode Fuzzy Hash: 84478d7b02675e68fd4e56005578043a06125f77c139f72fdd22ea9ec99f051f
Instruction Fuzzy Hash: DA31A37290461A6EDF10BFB4DC48AEE77AC9F46334F584156E814E21A0DBB4DE44EB60

Function 00F88195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F88257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F88267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F88273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F88310
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88324
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F8838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88395

Strings

*.*, xrefs: 00F8839B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 86463a0f87019d8482a1a76aa71e7ee5d46c68496a9b52977904d161bd80a254
Instruction ID: e04bfd8c704ab5405b3ad6e3a424402e8e83a966c9f3c2b4923d10a5c7723323
Opcode Fuzzy Hash: 86463a0f87019d8482a1a76aa71e7ee5d46c68496a9b52977904d161bd80a254
Instruction Fuzzy Hash: A2615BB25043059FCB10EF64C84499EB3E9FF89360F44891EF98987251EB35E946DB92

Function 00F7D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2

Part of subcall function 00F7E199: GetFileAttributesW.KERNEL32(?,00F7CF95), ref: 00F7E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F7D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F7D1DD
MoveFileW.KERNEL32(?,?), ref: 00F7D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F7D237

Part of subcall function 00F7D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F7D21C,?,?), ref: 00F7D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F7D253
FindClose.KERNEL32(00000000), ref: 00F7D264

Strings

\*.*, xrefs: 00F7D0CD, 00F7D0D6, 00F7D0EB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 77ac7f0b2bde14f8663565ab9132743b6765fc174a254465adc06502213dd826
Instruction ID: a5e34854a9ba7e34fc1cbf11fa12212be3a4ceefbb91f91ac0290d5c650f9207
Opcode Fuzzy Hash: 77ac7f0b2bde14f8663565ab9132743b6765fc174a254465adc06502213dd826
Instruction Fuzzy Hash: B1618F71C0510D9ACF05EBE0CD529EDB7B5AF15310FA48066E406B7192EB346F4AEBA1

Function 00F8ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F8ED91
EmptyClipboard.USER32 ref: 00F8ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00F8EDAC
CloseClipboard.USER32 ref: 00F8EEA3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c8345da6347a9fee01f9f4a10a019af9c9a3f77ef2e71c99c620aec145ea2e31
Instruction ID: 0662c757a048f5a8ba1c2b4784c924e15538fd21bed35469c4ac288a58da2ae8
Opcode Fuzzy Hash: c8345da6347a9fee01f9f4a10a019af9c9a3f77ef2e71c99c620aec145ea2e31
Instruction Fuzzy Hash: 2D41AB75604611AFE320EF15D888B99BBE1FF45328F15C099E4198B7A2C735EC42EBD0

Function 00F7E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7170D
Part of subcall function 00F716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F7173A
Part of subcall function 00F716C3: GetLastError.KERNEL32 ref: 00F7174A

ExitWindowsEx.USER32(?,00000000), ref: 00F7E932

Strings

@, xrefs: 00F7E925
, xrefs: 00F7E95C
, xrefs: 00F7E920
SeShutdownPrivilege, xrefs: 00F7E902

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b9c65f1c88f8f6aed5ecbe9fe498e4ab52d56939d8586f6072db527a31192a76
Instruction ID: 2f43180bf7f2401d10ef85c1f5dcd9b9ec2a1cb15350829a4fcf6dfa0649efbb
Opcode Fuzzy Hash: b9c65f1c88f8f6aed5ecbe9fe498e4ab52d56939d8586f6072db527a31192a76
Instruction Fuzzy Hash: 03012B73A10214AFEB6426749C85BBB727CA718750F148463FA07E21D1D6645C40B2D2

Function 00F91204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F91276
WSAGetLastError.WSOCK32 ref: 00F91283
bind.WSOCK32(00000000,?,00000010), ref: 00F912BA
WSAGetLastError.WSOCK32 ref: 00F912C5
closesocket.WSOCK32(00000000), ref: 00F912F4
listen.WSOCK32(00000000,00000005), ref: 00F91303
WSAGetLastError.WSOCK32 ref: 00F9130D
closesocket.WSOCK32(00000000), ref: 00F9133C

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: b4a06e2b615e8a161ce99da1dedac1b14b12d1e7c3af4dce3d392e5a771608b0
Instruction ID: e751cf3d82622caae5e7643065ecce5dfef0c37df448124e86f6600aff1c25cf
Opcode Fuzzy Hash: b4a06e2b615e8a161ce99da1dedac1b14b12d1e7c3af4dce3d392e5a771608b0
Instruction Fuzzy Hash: 2B41A471A001059FEB10EF24C488B69BBF6BF46328F188198D8568F2D6C775EC81DBE1

Function 00F4B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F4B9D4
_free.LIBCMT ref: 00F4B9F8
_free.LIBCMT ref: 00F4BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FB3700), ref: 00F4BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00FE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F4BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00FE1270,000000FF,?,0000003F,00000000,?), ref: 00F4BC36
_free.LIBCMT ref: 00F4BD4B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: d1370393a6d74236c1fc077c50b8fc252e60fbd37317ac6ba056cff4079dd45d
Instruction ID: ee5b4c34ef0ceda141c4fec90fc892d0e77906839d373af4d6c2ea5651f189aa
Opcode Fuzzy Hash: d1370393a6d74236c1fc077c50b8fc252e60fbd37317ac6ba056cff4079dd45d
Instruction Fuzzy Hash: FAC10571E04249AFDB209F698C81BAA7FB9EF41320F14419AED90DB253EB34DE41B750

Function 00F7D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2

Part of subcall function 00F7E199: GetFileAttributesW.KERNEL32(?,00F7CF95), ref: 00F7E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F7D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F7D481
FindClose.KERNEL32(00000000), ref: 00F7D498
FindClose.KERNEL32(00000000), ref: 00F7D4A1

Strings

\*.*, xrefs: 00F7D3F2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2a6ef097cd8fec27f826860e0a4159e579e5608651c244c9ed18c19c5db724f0
Instruction ID: 04334f842756f49a99e5088c143a72eb11aef5816604cfaec261dc042313041e
Opcode Fuzzy Hash: 2a6ef097cd8fec27f826860e0a4159e579e5608651c244c9ed18c19c5db724f0
Instruction Fuzzy Hash: A73190710083459BC304EF64CC519EFB7E8AE92314F848A1EF4D593191EB34AA49EBA3

Function 00F4E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F4E645

Strings

1#SNAN, xrefs: 00F4F844
1#IND, xrefs: 00F4F83D
1#INF, xrefs: 00F4F852
1#QNAN, xrefs: 00F4F84B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 32df9c12351c7f1a9c3365fdb991465147fe2743cf45a177df49d71ecb6f43f0
Instruction ID: b7665c229070ef32eef16451079936b7a431c2ab7588c134a7705dd9b171501d
Opcode Fuzzy Hash: 32df9c12351c7f1a9c3365fdb991465147fe2743cf45a177df49d71ecb6f43f0
Instruction Fuzzy Hash: ACC23B72E046288FDB25CE28DD407EABBB5FB84315F1541EAD84DE7240E778AE859F40

Function 00F8648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F864DC
CoInitialize.OLE32(00000000), ref: 00F86639
CoCreateInstance.OLE32(00FAFCF8,00000000,00000001,00FAFB68,?), ref: 00F86650
CoUninitialize.OLE32 ref: 00F868D4

Strings

.lnk, xrefs: 00F864BA, 00F86524, 00F865E0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 32632844297af21d41ba968c9cc7406d90eeb9c94e690bcb3b5f1b5872cbe226
Instruction ID: e1573bdb9b454a334bb33ad57cee9a520a69e33b30388074c21694e32b58f334
Opcode Fuzzy Hash: 32632844297af21d41ba968c9cc7406d90eeb9c94e690bcb3b5f1b5872cbe226
Instruction Fuzzy Hash: 31D15971508301AFC304EF24C891AABB7E8FF98714F04496DF595CB291EB74E949DBA2

Function 00F922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F922E8

Part of subcall function 00F8E4EC: GetWindowRect.USER32(?,?), ref: 00F8E504

GetDesktopWindow.USER32 ref: 00F92312
GetWindowRect.USER32(00000000), ref: 00F92319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F92355
GetCursorPos.USER32(?), ref: 00F92381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F923DF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f138b892ee6b0ca1c9a693b696b445c710208ba6a8245b9ace561d3c26547457
Instruction ID: a312c033bdeba653701527bbb9193155db2a33f4ad8e8ad5fdfb1f3b1c6d10a8
Opcode Fuzzy Hash: f138b892ee6b0ca1c9a693b696b445c710208ba6a8245b9ace561d3c26547457
Instruction Fuzzy Hash: A2319E72905319AFDB20DF54C849E5BB7A9FF89314F00091AF98997191DB34E908DB92

Function 00F89B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F89B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F89C8B

Part of subcall function 00F83874: GetInputState.USER32 ref: 00F838CB
Part of subcall function 00F83874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F83966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F89BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F89C75

Strings

*.*, xrefs: 00F89B5D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 731f6f88e8ad333dfb06609088fff1af08f0ccaa956e70f332ecb015cb552e87
Instruction ID: 121f36306c4bcbf7714ed9d163cae25b312a90738dd630cbd45ca75039839214
Opcode Fuzzy Hash: 731f6f88e8ad333dfb06609088fff1af08f0ccaa956e70f332ecb015cb552e87
Instruction Fuzzy Hash: 0B418371D0420A9FCF15EF64CC45AEE7BF4EF46320F144056E815A2191EB759E84EFA1

Function 00F2997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F29A4E
GetSysColor.USER32(0000000F), ref: 00F29B23
SetBkColor.GDI32(?,00000000), ref: 00F29B36

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 6ed705caf61efac0058ade3ab9fa9bbbb2352131a1226811d4c8441af9b1a6a7
Instruction ID: ef3bb4e62abb77f3b3e90a9a44f44158690e0c0478094988d0d3f19093474022
Opcode Fuzzy Hash: 6ed705caf61efac0058ade3ab9fa9bbbb2352131a1226811d4c8441af9b1a6a7
Instruction Fuzzy Hash: 8FA14BB190C264AEE724AA3DAC98F7F369DEF43364F140119F402C7591CAAD9D41F671

Function 00F91806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F9307A
Part of subcall function 00F9304E: _wcslen.LIBCMT ref: 00F9309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F9185D
WSAGetLastError.WSOCK32 ref: 00F91884
bind.WSOCK32(00000000,?,00000010), ref: 00F918DB
WSAGetLastError.WSOCK32 ref: 00F918E6
closesocket.WSOCK32(00000000), ref: 00F91915

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 3d192cc2732d328d40e652eb338affaa75268ca936c56e76f47954f5a63310e0
Instruction ID: 671626fee31d92be16a7df21cd083a90604f64586f56388de2e500f28422862d
Opcode Fuzzy Hash: 3d192cc2732d328d40e652eb338affaa75268ca936c56e76f47954f5a63310e0
Instruction Fuzzy Hash: 6851B471A002109FEB10EF24D886F6A77E5AB45718F088058F9159F3D3DB75AD41EBE1

Function 00FA1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FA1CC0
IsWindowEnabled.USER32 ref: 00FA1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FA1CDB
IsIconic.USER32 ref: 00FA1CE9
IsZoomed.USER32 ref: 00FA1CF7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b71fe456defea251c41baf48f606f4e8b3f8726e879aef913f541142bbf38ca5
Instruction ID: cc752b148cebdafac3f3bfba254acc7513a1180aea588a84bbfc930f4a9bf419
Opcode Fuzzy Hash: b71fe456defea251c41baf48f606f4e8b3f8726e879aef913f541142bbf38ca5
Instruction Fuzzy Hash: 3721A6B1B402155FD7208F1AC844BA67BE5FF86334F1A8058E8468B351C775EC42EBD4

Function 00F18060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F1843C
VUUU, xrefs: 00F183E8
ERCP, xrefs: 00F1813C
VUUU, xrefs: 00F55DF0
VUUU, xrefs: 00F183FA

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8fb11b3f419f5907818f009c4094adcf53fe76ee110bfd6cd585696356fbd22d
Instruction ID: 09825318d2da924827cb65f914169c3a8859b0eb85784619a54587248d313422
Opcode Fuzzy Hash: 8fb11b3f419f5907818f009c4094adcf53fe76ee110bfd6cd585696356fbd22d
Instruction Fuzzy Hash: 54A28D71E0061ACBDF24CF58C9507EDB7B1BB54761F2481AAED15A7280EB309DC6EB90

Function 00F9A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F9A6BA

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F9A79C
CloseHandle.KERNEL32(00000000), ref: 00F9A7AB

Part of subcall function 00F2CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F53303,?), ref: 00F2CE8A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e90dedb4730d94df0a203ec5e277d4878b126c4b9b2b10bafd4c12f8d4a70494
Instruction ID: 722fe351c1748de979a47c3afb8cd7816dc5f330440b0fc0cd279f0cfb3c24a8
Opcode Fuzzy Hash: e90dedb4730d94df0a203ec5e277d4878b126c4b9b2b10bafd4c12f8d4a70494
Instruction Fuzzy Hash: A7518DB1508300AFD710EF24CC86AABBBE8FF89754F40891DF58597252EB34D944DBA2

Function 00F7AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F7AAAC
SetKeyboardState.USER32(00000080), ref: 00F7AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F7AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F7AB88

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a4ba9a4e0099330e77d1f2ffbf6174b4b83044a8b2c257ea38b7d3e260fb5171
Instruction ID: 11232d4ede8501653a32417b206a4487285679964dc8a73efaccf78b0c70eb7b
Opcode Fuzzy Hash: a4ba9a4e0099330e77d1f2ffbf6174b4b83044a8b2c257ea38b7d3e260fb5171
Instruction Fuzzy Hash: 3E312971E40608AEFB35CA68CC05BFE77A6ABC5320F04C21BF189521D1D3788991E7A3

Function 00F8CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00F8CE89
GetLastError.KERNEL32(?,00000000), ref: 00F8CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00F8CEFE

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 2df63adc3850ac4f8836c1e8ad24712abe36b911cb878ed3ae46a1fa5336affb
Instruction ID: ec625a9fc308bcc9873edcb56951f05c6b093f81e237c4462ef86650d3475be9
Opcode Fuzzy Hash: 2df63adc3850ac4f8836c1e8ad24712abe36b911cb878ed3ae46a1fa5336affb
Instruction Fuzzy Hash: 7E219DB1900305ABEB30EF65D948BA6B7F8EB40364F10441EE646D2151EB74EE04ABB0

Function 00F78298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F782AA

Strings

|, xrefs: 00F782DA
(, xrefs: 00F782F0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5cce1776ce8cccced27f052a687435236af0cb07316c00f543d14b7e4613cd31
Instruction ID: 0f2e6cec57b3a6c11fec37e77f40bf99c454f9d5491702dd92d365b1dcfb91ea
Opcode Fuzzy Hash: 5cce1776ce8cccced27f052a687435236af0cb07316c00f543d14b7e4613cd31
Instruction Fuzzy Hash: 16324575A007059FCB28CF59C484A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB41

Function 00F85C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F85CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00F85D17
FindClose.KERNEL32(?), ref: 00F85D5F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1e64dc3812555221e877e2e4f3abd9e31401fed9375ec73978ab3f85ceac69a7
Instruction ID: c008c6c18b6bfc75abc246cf119fdf934f6775e9ac485371e57f03774d68a954
Opcode Fuzzy Hash: 1e64dc3812555221e877e2e4f3abd9e31401fed9375ec73978ab3f85ceac69a7
Instruction Fuzzy Hash: 1351AA75A046019FC714DF28C884A96B7E4FF4A324F14855EE95A8B3A2CB30EC45DF91

Function 00F42622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F4271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F42724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F42731

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af65c46d824775380e3fb31d6d5cbc6bbbd8c8621132d384c1aa8aac756cce97
Instruction ID: 6ad348dcd64dcf382dd26fd4c73c9b5bdb9b45fce6d86b9ba5e31db741ba71d9
Opcode Fuzzy Hash: af65c46d824775380e3fb31d6d5cbc6bbbd8c8621132d384c1aa8aac756cce97
Instruction Fuzzy Hash: 1531D57490121C9BCB61DF64DD887DCBBB8AF08320F5041EAE80CA7260EB349F819F44

Function 00F851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F85238
SetErrorMode.KERNEL32(00000000), ref: 00F852A1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f04022dc3da9008dbf3484178a6f39eb5d4f73feae19bcedf1f3b42fcc5fccc1
Instruction ID: 16000cb66742f021ca14673fb0a774231b29993c8eb9ca7b6d92d2aa4d8b3527
Opcode Fuzzy Hash: f04022dc3da9008dbf3484178a6f39eb5d4f73feae19bcedf1f3b42fcc5fccc1
Instruction Fuzzy Hash: 8E314B75A005189FDB00EF54D884EEDBBB5FF49318F088099E805AB362DB35E856DBA0

Function 00F716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F30668
Part of subcall function 00F2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F30685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F7173A
GetLastError.KERNEL32 ref: 00F7174A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 6e09c38dd636a62d97ecdc8812c0ba542d247c6507eafdf9073167ae310d32cc
Instruction ID: 95674c26b90714930534801cd318e986c9149bcd2e2940acb35e0d5249b38377
Opcode Fuzzy Hash: 6e09c38dd636a62d97ecdc8812c0ba542d247c6507eafdf9073167ae310d32cc
Instruction Fuzzy Hash: 531191B2414308AFD7189F54EC86D6AB7BDFB44714B20C52EE05A97241EB70BC469A60

Function 00F7D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F7D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F7D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F7D650

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7c2058e7edc026ba59621f85e861d25711857ec67f4018a9a58715f81c6f7fef
Instruction ID: 4bdc1c896cc5334b0c5f12ccd9ea2b318b25c957004efa49418a77eb4bad9b68
Opcode Fuzzy Hash: 7c2058e7edc026ba59621f85e861d25711857ec67f4018a9a58715f81c6f7fef
Instruction Fuzzy Hash: 79115EB5E05228BFDB108F95DC45FAFBBBCEB45B60F108116F908E7290D6704A059BE1

Function 00F71663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F7168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F716A1
FreeSid.ADVAPI32(?), ref: 00F716B1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: aed67277c8e5867b9a7a71446f905976ef6f1e4fc672295cb35595cd8700cd6d
Instruction ID: 37dd705213021eaebbf7e2cde4170a855202455b5d427b253a66063728539fb2
Opcode Fuzzy Hash: aed67277c8e5867b9a7a71446f905976ef6f1e4fc672295cb35595cd8700cd6d
Instruction Fuzzy Hash: E2F0F4B195030DFBDB00DFE49C89AAEBBBCFB08604F508565E501E2181E774AA449A90

Function 00F34CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F428E9,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002,00000000,?,00F428E9), ref: 00F34D09
TerminateProcess.KERNEL32(00000000,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002,00000000,?,00F428E9), ref: 00F34D10
ExitProcess.KERNEL32 ref: 00F34D22

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 203cb351ed87e93d7c41eb9ecdc3dfd45b4b81d78f909905368957679470f44b
Instruction ID: 78038989cfd1955f3de3d1ac556c349cfdce4f56abf39240fac271fc1cdcb42f
Opcode Fuzzy Hash: 203cb351ed87e93d7c41eb9ecdc3dfd45b4b81d78f909905368957679470f44b
Instruction Fuzzy Hash: 95E0B671400249ABCF11AF54DD09A593F69EB427A1F104014FC059A132CB39FD42EA80

Function 00F4C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00F4C36C

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 72232b77a4813ce7aa35f4954e349221af8008d8ebd96d859c652e768a56b124
Instruction ID: 2fb6709a79a0538c735a565c92b3611c16e92c6b407def5b004abf94e1012e44
Opcode Fuzzy Hash: 72232b77a4813ce7aa35f4954e349221af8008d8ebd96d859c652e768a56b124
Instruction Fuzzy Hash: A54129769012196FCB20DFB9CC49EBB7B78EB84324F504269FD05D7180E6709E41DB90

Function 00F6D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F6D28C

Strings

X64, xrefs: 00F6D2A8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a5f5322b997eb5134c05c2381494a70ced107d3fa81a36c63267e1526c8ced7b
Instruction ID: 38f290aaa8e6e19dbd66da034082098263cd9d44a4ad43d5f2c14a0e1be4a1ac
Opcode Fuzzy Hash: a5f5322b997eb5134c05c2381494a70ced107d3fa81a36c63267e1526c8ced7b
Instruction Fuzzy Hash: 6CD0CAB680116DEACB94CBA0EC88EDAB3BCBB04305F104292F106E2000DB349648AF20

Function 00F3CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 252280e8e656c53b127d1db349f06a83f8e0cdfe11b8d9254b29ecd7f162768b
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 72020D72E002199BDF14CFA9C8806ADFBF1FF88324F258169D919F7384D731AA419B94

Function 00F868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F86918
FindClose.KERNEL32(00000000), ref: 00F86961

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5508006847b5fcfcf53225e53e600217abee75a17687e1e9cf6904664682faf6
Instruction ID: bbc358a6097a4562f4ac012306ad1b81ae961c4eaba3d2950a99b090e46f6488
Opcode Fuzzy Hash: 5508006847b5fcfcf53225e53e600217abee75a17687e1e9cf6904664682faf6
Instruction Fuzzy Hash: BE119D716042009FC710DF29D888A56BBE5FF89328F15C6A9E4698F7A2CB34EC45DBD1

Function 00F837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F94891,?,?,00000035,?), ref: 00F837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F94891,?,?,00000035,?), ref: 00F837F4

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 31dea4f7a5b8407c17a71a1e3fcd5382a5fc0c128a40379ab0ba41e3b109452b
Instruction ID: 1cf98f57ced605e612b1ed233419090075cf1affcdbb3f75671321deaa1d13b4
Opcode Fuzzy Hash: 31dea4f7a5b8407c17a71a1e3fcd5382a5fc0c128a40379ab0ba41e3b109452b
Instruction Fuzzy Hash: 82F0E5B16083292AEB2027668C4DFEB3AAEEFC5B61F000175F509D2291D9A09944D7F0

Function 00F7B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F7B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00F7B270

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bad2e2111c267f35d4f88ae1c39f124d006429296c8a1d05227b16de45e29c40
Instruction ID: 1a3ea2ac728fd1c349afb41a4195f9ec151af25b705d897aee6a77f92e883d8b
Opcode Fuzzy Hash: bad2e2111c267f35d4f88ae1c39f124d006429296c8a1d05227b16de45e29c40
Instruction Fuzzy Hash: C2F01D7180424DABDB059FA0C805BBE7BB4FF09319F04800AF955A5192C7798611EF95

Function 00F710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F711FC), ref: 00F710D4
CloseHandle.KERNEL32(?,?,00F711FC), ref: 00F710E9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 791384db2e07b904912f12e840a0c1385a3c36d627b6c2f8095aee80576ae8ca
Instruction ID: 0514453781fee335ad85930983739fd0820b29c5ee54ac5353291c8b8a86a99f
Opcode Fuzzy Hash: 791384db2e07b904912f12e840a0c1385a3c36d627b6c2f8095aee80576ae8ca
Instruction Fuzzy Hash: C1E0BF72414610AEF7252B55FC05E7777A9EF05320B14C82EF5A6804B1DB626C94EB50

Function 00F1CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F60C40

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: d47e7e45c4aba19673204b89e5bc50577d544079c9a1d200dbd457d1540589d7
Instruction ID: 516f6a1b03181ede6e80e3a35b295478c87a84e1a201a30ee190de9dea823cea
Opcode Fuzzy Hash: d47e7e45c4aba19673204b89e5bc50577d544079c9a1d200dbd457d1540589d7
Instruction Fuzzy Hash: 9B329E31D40218DFCF14DF90D881BEEB7B5BF15314F248059E806AB292DB75AD86EBA1

Function 00F4676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F46766,?,?,00000008,?,?,00F4FEFE,00000000), ref: 00F46998

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a049aceb04a21786fcacd38b5e7b45afd24153aa98f4b7e7acc12fd48b882e49
Instruction ID: ac7f79ed9e97b0c9099b83bfe9719a6c352fadc8cd26319b109b4dacf9533854
Opcode Fuzzy Hash: a049aceb04a21786fcacd38b5e7b45afd24153aa98f4b7e7acc12fd48b882e49
Instruction Fuzzy Hash: 4FB15A32A106089FD719CF28C48AB657FE0FF46364F258658EC99CF2A2C735E981DB41

Function 00F2B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F6851F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 05032a61a5206a586b7314abb3bc315c47e3a1d65d7519c422dd55d0decdcac2
Instruction ID: f42512728ffd1ffaed5edd00e7508ab2fa833c51ea1ff43160a61baf3b4d04ff
Opcode Fuzzy Hash: 05032a61a5206a586b7314abb3bc315c47e3a1d65d7519c422dd55d0decdcac2
Instruction Fuzzy Hash: 5F126E71D002299BCB24DF58D8917EEB7F5FF48310F14819AE849EB251EB349E81EB90

Function 00F8EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F8EABD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dff70facf044d998e298d7577d72d2728f5d46ae096e058df3a2c2c63b8ed512
Instruction ID: d04f599df1d6e20061184d993b574be30c0edbc84a11a0c93c3176922ccbd182
Opcode Fuzzy Hash: dff70facf044d998e298d7577d72d2728f5d46ae096e058df3a2c2c63b8ed512
Instruction Fuzzy Hash: 50E04F322002049FC710EF59D804EDAF7E9AF98770F048416FC49C7351DB74E8819BA0

Function 00F309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F303EE), ref: 00F309DA

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ebb2b841400283a49fcc91d093c12057f4637e541e18f11ab124a6ebce57aa73
Instruction ID: df6577423455aa1cf95e483709b0190d169b60b5a887982c142aa7488a14baaf
Opcode Fuzzy Hash: ebb2b841400283a49fcc91d093c12057f4637e541e18f11ab124a6ebce57aa73
Instruction Fuzzy Hash:

Function 00F3781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F3798B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ce5a7c3651295effc828a2114b6b761e8187784c81ba9eefb021d64917570584
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: FA5138E2E0D7456BDF38B568885A7BF73C59B02370F280A09E882D7282C619DE06F351

Function 00F46DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d2675b50eb4c0e863bbbe7060efa20091ad094efa5aa3f1152c6fc4a85f423
Instruction ID: ab1485a48399d73373109667bad0618777ba715691f5b975689aec4f5ba589d7
Opcode Fuzzy Hash: c8d2675b50eb4c0e863bbbe7060efa20091ad094efa5aa3f1152c6fc4a85f423
Instruction Fuzzy Hash: 22326522D28F014DDB63A634CC62336AA49AFB73D5F15C737FC1AB59A5EB28C4836500

Function 00F2CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897280c0ebf088fe90b6518e9cc62b07a3043a949685685e5ef1589b6be7ac4b
Instruction ID: d9120c73bdaf91d5111f0c84c3c116f4083894ca1b6301cd0d51e54f609e13c5
Opcode Fuzzy Hash: 897280c0ebf088fe90b6518e9cc62b07a3043a949685685e5ef1589b6be7ac4b
Instruction Fuzzy Hash: FA320532E011958BCF28CF69D89467D7BA1EB45320F28816BD5DADB291D234DE81FBC1

Function 00F17920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e84136751f8dd3f9523bb451f0e9bcc1d438bc17d420a4469d6059267768adf
Instruction ID: 1cb43ad020efc10200bbca358d88eb3b0f09850c97b8c18d3710edd44ed8f8e5
Opcode Fuzzy Hash: 5e84136751f8dd3f9523bb451f0e9bcc1d438bc17d420a4469d6059267768adf
Instruction Fuzzy Hash: 5322E271E0460ADFDF04DF64C851AEEB3B6FF44710F204129E816A7291EB3AAD55EB50

Function 00F191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7697e9ca5d04d971c07d82e7d3cb1258a41ec2221a73cf0366f63db8f75b3493
Instruction ID: 5097d3109d3c59b918dc8fd2585819a4be7092ffd20809b6bdc04fb1bf4d90a2
Opcode Fuzzy Hash: 7697e9ca5d04d971c07d82e7d3cb1258a41ec2221a73cf0366f63db8f75b3493
Instruction Fuzzy Hash: 7002F6B1E00209EBCB04DF64D881AAEB7B5FF44310F118169E916DB290EB75EE54EBC1

Function 00F49EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e6f6e119d1d6148f1026721463ab8bf85f9599bad13c5199d152a2780fcd63
Instruction ID: 0ed121aa1ab8f7d50edaadc55d30f74b73b75237e1ff32fbad1d4fe60f6fbe9e
Opcode Fuzzy Hash: a8e6f6e119d1d6148f1026721463ab8bf85f9599bad13c5199d152a2780fcd63
Instruction Fuzzy Hash: CAB11320D6AF444DD3239A398871337BA8CAFBB2D5F95D31BFC1674D22EB2286835540

Function 00F31C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: be3f717f30267bba8d75a1f2af84a67dfeea039e6a4eaf72143a4ae1b20819aa
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 04918933A090A34ADB69463E853417EFFE17A523B1B1A079DD8F2CA1C1FE10D954F620

Function 00F319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 614fb24c1e16410ea03450a603866f0adfc8f454a2453987b23c5f3ddd4f8b96
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 749155736090E34ADB2D467A857417EFFE16A923B2B1A079DD4F2CA1C1FE14C564F620

Function 00F37A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97070d0cbd1d98720751e63b71f37e5b5e94026f8273d5066136bf5b1fc9cf8
Instruction ID: 92e9ea95c262398435586fb0db22fdead194370ee850ac57508c7ef1ace05335
Opcode Fuzzy Hash: c97070d0cbd1d98720751e63b71f37e5b5e94026f8273d5066136bf5b1fc9cf8
Instruction Fuzzy Hash: EB617AF2A08349A6DE34BA288C95BBEB3A4DF81770F140919F843DB295D6199E42F315

Function 00F37CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d04a954e76f5f844f604bab67a9096ad8f09508f4220cd44ef7661c9e10453
Instruction ID: 4f1ed011db7026da55855e9846cbd724336863bd5e80155b2b2960d2548e66d5
Opcode Fuzzy Hash: e6d04a954e76f5f844f604bab67a9096ad8f09508f4220cd44ef7661c9e10453
Instruction Fuzzy Hash: 40616BF2E0C74966DE38BA288C55BBF73949F41770F100959F843DB281DA19AD82F255

Function 00F31706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: c685d9ff3d8cebc9d15ffebb7783edfdbb1ff66f892d75c3c391e388429e8750
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 38816433A090A349DB6D863A853453EFFE17A923B1B1E079DD4F2CA1C1EE24C564F620

Function 00F82046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e368dcc111f985badaf476e44c6981459c1074c27c43d85af590bf633b5cd9da
Instruction ID: a4604d1d831552bf837d089d0db4b8128b7b8886e7259d98eb4227311218bf0d
Opcode Fuzzy Hash: e368dcc111f985badaf476e44c6981459c1074c27c43d85af590bf633b5cd9da
Instruction Fuzzy Hash: C6210D327206558BDB68CF79C8536BE73E9A754320F14862EE4A7C73D0DE79A904D780

Function 00F92ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F92B30
DeleteObject.GDI32(00000000), ref: 00F92B43
DestroyWindow.USER32 ref: 00F92B52
GetDesktopWindow.USER32 ref: 00F92B6D
GetWindowRect.USER32(00000000), ref: 00F92B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F92CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F92CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92CF8
GetClientRect.USER32(00000000,?), ref: 00F92D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F92D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92DA8
GlobalFree.KERNEL32(00000000), ref: 00F92DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FAFC38,00000000), ref: 00F92DDB
GlobalFree.KERNEL32(00000000), ref: 00F92DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F92E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F92E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F9303F

Strings

static, xrefs: 00F92D3A, 00F92E91
DISPLAY, xrefs: 00F92EA2
AutoIt v3, xrefs: 00F92CF2
, xrefs: 00F92FC5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5bb43aa045e9cd51b45412cbf6f713889876d190867932af8c832e7a6fc74f07
Instruction ID: bd2c487b7c11cdc987edd579e3458c2a42a53ef596b72b528a3b04c7878710a5
Opcode Fuzzy Hash: 5bb43aa045e9cd51b45412cbf6f713889876d190867932af8c832e7a6fc74f07
Instruction Fuzzy Hash: 700260B1A00209EFDB14DF64CC89EAE7BB9FB49314F048158F915AB2A1D774DD41EBA0

Function 00FA70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FA712F
GetSysColorBrush.USER32(0000000F), ref: 00FA7160
GetSysColor.USER32(0000000F), ref: 00FA716C
SetBkColor.GDI32(?,000000FF), ref: 00FA7186
SelectObject.GDI32(?,?), ref: 00FA7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00FA71C0
GetSysColor.USER32(00000010), ref: 00FA71C8
CreateSolidBrush.GDI32(00000000), ref: 00FA71CF
FrameRect.USER32(?,?,00000000), ref: 00FA71DE
DeleteObject.GDI32(00000000), ref: 00FA71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00FA7230
FillRect.USER32(?,?,?), ref: 00FA7262
GetWindowLongW.USER32(?,000000F0), ref: 00FA7284

Part of subcall function 00FA73E8: GetSysColor.USER32(00000012), ref: 00FA7421
Part of subcall function 00FA73E8: SetTextColor.GDI32(?,?), ref: 00FA7425
Part of subcall function 00FA73E8: GetSysColorBrush.USER32(0000000F), ref: 00FA743B
Part of subcall function 00FA73E8: GetSysColor.USER32(0000000F), ref: 00FA7446
Part of subcall function 00FA73E8: GetSysColor.USER32(00000011), ref: 00FA7463
Part of subcall function 00FA73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FA7471
Part of subcall function 00FA73E8: SelectObject.GDI32(?,00000000), ref: 00FA7482
Part of subcall function 00FA73E8: SetBkColor.GDI32(?,00000000), ref: 00FA748B
Part of subcall function 00FA73E8: SelectObject.GDI32(?,?), ref: 00FA7498
Part of subcall function 00FA73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FA74B7
Part of subcall function 00FA73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FA74CE
Part of subcall function 00FA73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FA74DB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: eb76d3ab45926c822deecba1eec47705f9b91d323c657f8f746d9571a329887d
Instruction ID: d04c71757c27198e8bae4d89cb1ec8c44354b5f3d08410e3822f7d8d4b2ea011
Opcode Fuzzy Hash: eb76d3ab45926c822deecba1eec47705f9b91d323c657f8f746d9571a329887d
Instruction Fuzzy Hash: EAA1B2B2508305AFDB00AF60DC48E6B7BE9FF4A320F140A19F962961E1D771E944EF91

Function 00F28D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F28E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F66AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F66AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F66F43

Part of subcall function 00F28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F28BE8,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F28FC5

SendMessageW.USER32(?,00001053), ref: 00F66F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F66F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F66FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F66FB7

Strings

0, xrefs: 00F66DCF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 8cadbf5f5379b2cb02763ceeeee922029308a9d93c76381e26a6537a2a1878b0
Instruction ID: 71819e3400a04f9dd9f9a23e563ef4ab765d45c6c40bb3983cbb04a783feb7d1
Opcode Fuzzy Hash: 8cadbf5f5379b2cb02763ceeeee922029308a9d93c76381e26a6537a2a1878b0
Instruction Fuzzy Hash: 3512AC30A01655EFDB25CF14D884BAABBE5FB45320F184469F495CB262CB32AC52FB91

Function 00F92711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F9273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F9286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F92900
GetClientRect.USER32(00000000,?), ref: 00F9290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F92955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F92964
GetStockObject.GDI32(00000011), ref: 00F92974
SelectObject.GDI32(00000000,00000000), ref: 00F92978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F92988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F92991
DeleteDC.GDI32(00000000), ref: 00F9299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F92A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F92A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F92A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F92A77
GetStockObject.GDI32(00000011), ref: 00F92A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F92A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F92A97

Strings

msctls_progress32, xrefs: 00F92A13
static, xrefs: 00F9294F, 00F92A71
DISPLAY, xrefs: 00F9295A
AutoIt v3, xrefs: 00F928F8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8856f8b1c694674b651e845a912d6b1cb2549ef994920e50b845b602df12be23
Instruction ID: 821aa8072f3e24e3cd7da1aad279e681480942fd3f357d98cb91087263e74100
Opcode Fuzzy Hash: 8856f8b1c694674b651e845a912d6b1cb2549ef994920e50b845b602df12be23
Instruction Fuzzy Hash: ACB14BB1A00219AFEB14DFA9CC89FAE7BA9FB49710F004115F915EB290D774ED40DBA0

Function 00F84ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F84AED
GetDriveTypeW.KERNEL32(?,00FACB68,?,\\.\,00FACC08), ref: 00F84BCA
SetErrorMode.KERNEL32(00000000,00FACB68,?,\\.\,00FACC08), ref: 00F84D36

Strings

USB, xrefs: 00F84CB4
Fibre, xrefs: 00F84CAD
MMC, xrefs: 00F84CDE
iSCSI, xrefs: 00F84CC2
Removable, xrefs: 00F84C10, 00F84C15
Network, xrefs: 00F84C02
PhysicalDrive, xrefs: 00F84B76
Unknown, xrefs: 00F84BED, 00F84C83
FileBackedVirtual, xrefs: 00F84CEC
Fixed, xrefs: 00F84C09
\\.\, xrefs: 00F84B3F
ATA, xrefs: 00F84C98
CDROM, xrefs: 00F84BFB
SCSI, xrefs: 00F84C8A
SSA, xrefs: 00F84CA6
SATA, xrefs: 00F84CD0
RAMDisk, xrefs: 00F84BF4
SSD, xrefs: 00F84C4A
RAID, xrefs: 00F84CBB
1394, xrefs: 00F84C9F
ATAPI, xrefs: 00F84C91
Virtual, xrefs: 00F84CE5
SAS, xrefs: 00F84CC9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ad04b6a0ebb14320243d30debbf9501a4ebe3226512af14e159ce494b13ea84d
Instruction ID: eb7b14fa1092df947b0eb08cf93c6d7ad20cbce641cda72bf6fe02146a7227d4
Opcode Fuzzy Hash: ad04b6a0ebb14320243d30debbf9501a4ebe3226512af14e159ce494b13ea84d
Instruction Fuzzy Hash: F96194317052079BCB04FF14CA81AE9B7B6AB46354B288416F806EB791DB75FD41FB82

Function 00FA73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FA7421
SetTextColor.GDI32(?,?), ref: 00FA7425
GetSysColorBrush.USER32(0000000F), ref: 00FA743B
GetSysColor.USER32(0000000F), ref: 00FA7446
CreateSolidBrush.GDI32(?), ref: 00FA744B
GetSysColor.USER32(00000011), ref: 00FA7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FA7471
SelectObject.GDI32(?,00000000), ref: 00FA7482
SetBkColor.GDI32(?,00000000), ref: 00FA748B
SelectObject.GDI32(?,?), ref: 00FA7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00FA74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FA74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00FA74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FA752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FA7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00FA7572
DrawFocusRect.USER32(?,?), ref: 00FA757D
GetSysColor.USER32(00000011), ref: 00FA758E
SetTextColor.GDI32(?,00000000), ref: 00FA7596
DrawTextW.USER32(?,00FA70F5,000000FF,?,00000000), ref: 00FA75A8
SelectObject.GDI32(?,?), ref: 00FA75BF
DeleteObject.GDI32(?), ref: 00FA75CA
SelectObject.GDI32(?,?), ref: 00FA75D0
DeleteObject.GDI32(?), ref: 00FA75D5
SetTextColor.GDI32(?,?), ref: 00FA75DB
SetBkColor.GDI32(?,?), ref: 00FA75E5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9d6dc591ef992a19ec6d802e58d33e5048b79c66ee9dc71610260aaecfc8a794
Instruction ID: ad1c4316043c7074d9f991e594f814ae4c952015e914f71667790acf4b402c58
Opcode Fuzzy Hash: 9d6dc591ef992a19ec6d802e58d33e5048b79c66ee9dc71610260aaecfc8a794
Instruction Fuzzy Hash: 3B6171B2D00218AFDF019FA4DC49EAE7FB9EF0A320F154125F915AB2A1D7749940EF90

Function 00FA0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FA1128
GetDesktopWindow.USER32 ref: 00FA113D
GetWindowRect.USER32(00000000), ref: 00FA1144
GetWindowLongW.USER32(?,000000F0), ref: 00FA1199
DestroyWindow.USER32(?), ref: 00FA11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FA121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FA1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FA1245
IsWindowVisible.USER32(00000000), ref: 00FA12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FA12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FA12D0
GetWindowRect.USER32(00000000,?), ref: 00FA12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00FA130E
GetMonitorInfoW.USER32(00000000,?), ref: 00FA1328
CopyRect.USER32(?,?), ref: 00FA133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FA13AA

Strings

0, xrefs: 00FA10D3
tooltips_class32, xrefs: 00FA11E6
(, xrefs: 00FA131B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 90e5e1787551b5f540acf3288884726b709634f63554d215b71eaadf750b6b68
Instruction ID: 47faa9f0e2d8ef3fd6e95de5606e80df042d81665389117227de7549c4d63c71
Opcode Fuzzy Hash: 90e5e1787551b5f540acf3288884726b709634f63554d215b71eaadf750b6b68
Instruction Fuzzy Hash: F2B19DB1608341AFDB04DF64C884BABBBE5FF85350F00891CF9999B2A1D771E844EB91

Function 00FA0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA02E5
_wcslen.LIBCMT ref: 00FA031F
_wcslen.LIBCMT ref: 00FA0389
_wcslen.LIBCMT ref: 00FA03F1
_wcslen.LIBCMT ref: 00FA0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FA04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FA0504

Part of subcall function 00F2F9F2: _wcslen.LIBCMT ref: 00F2F9FD

Part of subcall function 00F7223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F72258
Part of subcall function 00F7223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F7228A

Strings

SELECTALL, xrefs: 00FA0515
SELECTCLEAR, xrefs: 00FA052D
VIEWCHANGE, xrefs: 00FA0675
GETITEMCOUNT, xrefs: 00FA0316, 00FA0337
ISSELECTED, xrefs: 00FA04DD
GETSELECTEDCOUNT, xrefs: 00FA0470, 00FA048B
GETSUBITEMCOUNT, xrefs: 00FA0384, 00FA039F
SELECT, xrefs: 00FA0548
GETTEXT, xrefs: 00FA03EC, 00FA0407
DESELECT, xrefs: 00FA059C
SELECTINVERT, xrefs: 00FA057E
GETSELECTED, xrefs: 00FA05E1
FINDITEM, xrefs: 00FA0627

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 4762c0995b61c35ebe1cb250fa9151a5b47ef27dca456a703e84dabb94ed99a0
Instruction ID: bed29f78c917bc5c47989f17a4692dc5efb5ea8f0681c87cefd49e428609eb1f
Opcode Fuzzy Hash: 4762c0995b61c35ebe1cb250fa9151a5b47ef27dca456a703e84dabb94ed99a0
Instruction Fuzzy Hash: 89E1F3716183008FC714EF24D85092AB3E6FF89324F14496DF8969B3A2DB34ED45EB81

Function 00F28891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F28968
GetSystemMetrics.USER32(00000007), ref: 00F28970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F2899B
GetSystemMetrics.USER32(00000008), ref: 00F289A3
GetSystemMetrics.USER32(00000004), ref: 00F289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F28A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F28A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F28A5A
GetStockObject.GDI32(00000011), ref: 00F28A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F28A81

Part of subcall function 00F2912D: GetCursorPos.USER32(?), ref: 00F29141
Part of subcall function 00F2912D: ScreenToClient.USER32(00000000,?), ref: 00F2915E
Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000001), ref: 00F29183
Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000002), ref: 00F2919D

SetTimer.USER32(00000000,00000000,00000028,00F290FC), ref: 00F28AA8

Strings

AutoIt v3 GUI, xrefs: 00F28A20

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 77cbedcd2e961c9fc011c7f2878d3262285acb962bf866a4b777c795ed5a22d7
Instruction ID: da71aed544062d2bd71227c265b3a8d04031d9a694c513b600a8ccffe4372143
Opcode Fuzzy Hash: 77cbedcd2e961c9fc011c7f2878d3262285acb962bf866a4b777c795ed5a22d7
Instruction Fuzzy Hash: 85B19E71A002199FDB14DFA8DD85BAE3BB5FB48314F104229FA15EB290DB74E941EF90

Function 00F70D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71114
Part of subcall function 00F710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71120
Part of subcall function 00F710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F7112F
Part of subcall function 00F710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71136
Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F70DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F70E29
GetLengthSid.ADVAPI32(?), ref: 00F70E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F70E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F70E96
GetLengthSid.ADVAPI32(?), ref: 00F70EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F70EB5
HeapAlloc.KERNEL32(00000000), ref: 00F70EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F70EDD
CopySid.ADVAPI32(00000000), ref: 00F70EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F70F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F70F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F70F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70F6E
HeapFree.KERNEL32(00000000), ref: 00F70F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70F7E
HeapFree.KERNEL32(00000000), ref: 00F70F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70F8E
HeapFree.KERNEL32(00000000), ref: 00F70F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F70FA1
HeapFree.KERNEL32(00000000), ref: 00F70FA8

Part of subcall function 00F71193: GetProcessHeap.KERNEL32(00000008,00F70BB1,?,00000000,?,00F70BB1,?), ref: 00F711A1
Part of subcall function 00F71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F70BB1,?), ref: 00F711A8
Part of subcall function 00F71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F70BB1,?), ref: 00F711B7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 847596b0736a66d964cf1034df7bb3bf1b12179f57182c64e48a8ca21b86f2c8
Instruction ID: 15c2060cb5f2cd18fa69fe8676308541b070952ba5bae1cdc7ad886255c0bd1b
Opcode Fuzzy Hash: 847596b0736a66d964cf1034df7bb3bf1b12179f57182c64e48a8ca21b86f2c8
Instruction Fuzzy Hash: B9713CB290020AEBDB20DFA5DC45FEEBBB8FF05310F148116F919E6191DB719905DBA1

Function 00F9C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FACC08,00000000,?,00000000,?,?), ref: 00F9C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F9C5A4
_wcslen.LIBCMT ref: 00F9C5F4
_wcslen.LIBCMT ref: 00F9C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F9C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F9C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F9C84D
RegCloseKey.ADVAPI32(?), ref: 00F9C881
RegCloseKey.ADVAPI32(00000000), ref: 00F9C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F9C960

Strings

REG_QWORD, xrefs: 00F9C8C3
REG_DWORD, xrefs: 00F9C804
REG_SZ, xrefs: 00F9C644
REG_MULTI_SZ, xrefs: 00F9C6F5
REG_BINARY, xrefs: 00F9C913
REG_EXPAND_SZ, xrefs: 00F9C5CD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9b4a0df433b8ffab8e2ff801624033100ef46bb905da2c0a6007dfd78575cfa4
Instruction ID: b730b06732a131571ec4d733dbd8d9f5d4e6720d3599fbfa7f76ad6dc2c625ae
Opcode Fuzzy Hash: 9b4a0df433b8ffab8e2ff801624033100ef46bb905da2c0a6007dfd78575cfa4
Instruction Fuzzy Hash: B3127A756043019FDB14EF14C891A6AB7E5EF88724F09885CF84A9B3A2DB35FC41EB81

Function 00FA091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA09C6
_wcslen.LIBCMT ref: 00FA0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA0A54
_wcslen.LIBCMT ref: 00FA0A8A
_wcslen.LIBCMT ref: 00FA0B06
_wcslen.LIBCMT ref: 00FA0B81

Part of subcall function 00F2F9F2: _wcslen.LIBCMT ref: 00F2F9FD

Part of subcall function 00F72BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F72BFA

Strings

EXPAND, xrefs: 00FA0BF8
COLLAPSE, xrefs: 00FA0B01, 00FA0B1C
EXISTS, xrefs: 00FA0B7C, 00FA0B97
CHECK, xrefs: 00FA0A85, 00FA0AA0
ISCHECKED, xrefs: 00FA0CE1
SELECT, xrefs: 00FA0D11
GETTOTALCOUNT, xrefs: 00FA09F2, 00FA0A17
UNCHECK, xrefs: 00FA0D3E
GETTEXT, xrefs: 00FA0C97
GETSELECTED, xrefs: 00FA0C4E
GETITEMCOUNT, xrefs: 00FA0C1E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b7fcbe73d67f7ba2efa6d5163b281c68492b0b5e1e6679bd3826296b786a31f3
Instruction ID: 5e4767262cb8fdbb8a917510ba2d9a122a73ea0b90d7304b51345084f26ece9d
Opcode Fuzzy Hash: b7fcbe73d67f7ba2efa6d5163b281c68492b0b5e1e6679bd3826296b786a31f3
Instruction Fuzzy Hash: 16E1CF726083018FC714EF24D85092AB7E2FF89364F14895DF8999B362DB34ED45EB91

Function 00F9C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
_wcslen.LIBCMT ref: 00F9C9F1
_wcslen.LIBCMT ref: 00F9CA68
_wcslen.LIBCMT ref: 00F9CA9E
_wcslen.LIBCMT ref: 00F9CAF9
_wcslen.LIBCMT ref: 00F9CB2F
_wcslen.LIBCMT ref: 00F9CB7F

Strings

HKLM, xrefs: 00F9CA98, 00F9CA9D
HKCC, xrefs: 00F9CBAC
HKCU, xrefs: 00F9CBCE
HKEY_CURRENT_USER, xrefs: 00F9CBBD
HKEY_CURRENT_CONFIG, xrefs: 00F9CB79, 00F9CB7E
HKEY_LOCAL_MACHINE, xrefs: 00F9CA62, 00F9CA67
HKCR, xrefs: 00F9CB29, 00F9CB2E
HKEY_CLASSES_ROOT, xrefs: 00F9CAF3, 00F9CAF8
HKEY_USERS, xrefs: 00F9CBDF
HKU, xrefs: 00F9CBF0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 4d54c8062f344cf04500ae3bc2cdc9035af6aed71f1f5b9bccadbed98fba196b
Instruction ID: e114cf4f65b76a34d08b1bc02742c206313882a9cf7a0280e228949fbf7ce260
Opcode Fuzzy Hash: 4d54c8062f344cf04500ae3bc2cdc9035af6aed71f1f5b9bccadbed98fba196b
Instruction Fuzzy Hash: 94711533A0016A8BEF20DE78CD516BE3391ABA0774F550529F8569B285F639DD84F3E0

Function 00FA833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA835A
_wcslen.LIBCMT ref: 00FA836E
_wcslen.LIBCMT ref: 00FA8391
_wcslen.LIBCMT ref: 00FA83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FA83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FA5BF2), ref: 00FA844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FA8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FA84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FA8501
FreeLibrary.KERNEL32(?), ref: 00FA850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FA851D
DestroyIcon.USER32(?,?,?,?,?,00FA5BF2), ref: 00FA852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FA8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FA8555

Strings

.icl, xrefs: 00FA8368
.exe, xrefs: 00FA8388
.dll, xrefs: 00FA83AB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9a6f10093a558555770097cffde1cab3901ceeeeaee0072c5a5c499c901ca0b1
Instruction ID: b745070c912a30851dbd648a74f2fdfbc74dbd510c181a5b04d98f384f974628
Opcode Fuzzy Hash: 9a6f10093a558555770097cffde1cab3901ceeeeaee0072c5a5c499c901ca0b1
Instruction Fuzzy Hash: B161F1B1900209BEEB14DF64CC45BFE77A8BF09761F104509FC15DA1D1EBB8A981E7A0

Function 00F17778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 00F5528C
Cannot parse #include, xrefs: 00F55279
#OnAutoItStartRegister, xrefs: 00F17817
#requireadmin, xrefs: 00F177FF
#ce, xrefs: 00F178ED
#cs, xrefs: 00F17873, 00F178C5
#notrayicon, xrefs: 00F177E7
', xrefs: 00F55169
#comments-end, xrefs: 00F178D9
#include, xrefs: 00F17847
#pragma compile, xrefs: 00F177D3
", xrefs: 00F55153
#comments-start, xrefs: 00F1785F, 00F178B1
Bad directive syntax error, xrefs: 00F5519A
#include-once, xrefs: 00F1782F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 48f5d3a9483c3074157808a05548023d0b536cd3c6b0bd7c2d243236b6b45c5f
Instruction ID: ab3811961e8e8a5f7883239067c8125b976f2655437c910b1da2335694e310b8
Opcode Fuzzy Hash: 48f5d3a9483c3074157808a05548023d0b536cd3c6b0bd7c2d243236b6b45c5f
Instruction Fuzzy Hash: EF8106B1A04705ABDB20BF60DC52FEE3B74AF05760F044024FD09AA192EB78D985F7A1

Function 00F75A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F75A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F75A40
SetWindowTextW.USER32(?,?), ref: 00F75A57
GetDlgItem.USER32(?,000003EA), ref: 00F75A6C
SetWindowTextW.USER32(00000000,?), ref: 00F75A72
GetDlgItem.USER32(?,000003E9), ref: 00F75A82
SetWindowTextW.USER32(00000000,?), ref: 00F75A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F75AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F75AC3
GetWindowRect.USER32(?,?), ref: 00F75ACC
_wcslen.LIBCMT ref: 00F75B33
SetWindowTextW.USER32(?,?), ref: 00F75B6F
GetDesktopWindow.USER32 ref: 00F75B75
GetWindowRect.USER32(00000000), ref: 00F75B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F75BD3
GetClientRect.USER32(?,?), ref: 00F75BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F75C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F75C2F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7fd0236e8e4447f286c417188eb608e6e7679a11581d1bdc0106f86803d8bfaf
Instruction ID: 78d2ebcaeb22eb1eaa5cd5d210825e0668f7e9d35d28489e54bdf807b89754bf
Opcode Fuzzy Hash: 7fd0236e8e4447f286c417188eb608e6e7679a11581d1bdc0106f86803d8bfaf
Instruction Fuzzy Hash: CA717F71900B099FDB20DFA8CE85F6EBBF5FF48B14F104919E14AA26A0D7B4E944DB50

Function 00F300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F300C6

Part of subcall function 00F300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00FE070C,00000FA0,F213B887,?,?,?,?,00F523B3,000000FF), ref: 00F3011C
Part of subcall function 00F300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F523B3,000000FF), ref: 00F30127
Part of subcall function 00F300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F523B3,000000FF), ref: 00F30138
Part of subcall function 00F300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F3014E
Part of subcall function 00F300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F3015C
Part of subcall function 00F300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F3016A
Part of subcall function 00F300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F30195
Part of subcall function 00F300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F301A0

___scrt_fastfail.LIBCMT ref: 00F300E7

Part of subcall function 00F300A3: __onexit.LIBCMT ref: 00F300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F30122
kernel32.dll, xrefs: 00F30133
InitializeConditionVariable, xrefs: 00F30148
WakeAllConditionVariable, xrefs: 00F30162
SleepConditionVariableCS, xrefs: 00F30154

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ae90f1dbe776af6883f1f108ab9a3d7df12ea1c0f20e30d5e773e7f8ba3d4ba6
Instruction ID: 52d297bbcfc3a45edbc9409646a9248e23c14a734bbb128772a2b026c6a016a9
Opcode Fuzzy Hash: ae90f1dbe776af6883f1f108ab9a3d7df12ea1c0f20e30d5e773e7f8ba3d4ba6
Instruction Fuzzy Hash: 3E21F6B2E447156BE7216BA4AC55B2A73A4EB46B71F00013BF801E7291DFB4DC00BAD1

Function 00F730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F7318D
_wcslen.LIBCMT ref: 00F731F8

Strings

REGEXPCLASS, xrefs: 00F73255, 00F73266
INSTANCE, xrefs: 00F73453
NAME, xrefs: 00F73335, 00F73346
TEXT, xrefs: 00F7347C
CLASS, xrefs: 00F73188, 00F731A5
CLASSNN, xrefs: 00F731F3, 00F73204

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b21d95e34a31bcc4ac6d6ee5dcad85b1c4ccc182cf416518255d1fdc9a56b0b3
Instruction ID: 805c08a03f3614ec3999555234189a68951168868ab0fef1cfa4a768a1df9a57
Opcode Fuzzy Hash: b21d95e34a31bcc4ac6d6ee5dcad85b1c4ccc182cf416518255d1fdc9a56b0b3
Instruction Fuzzy Hash: F7E1B332E00516BACB18DF74C8517EEBBB1BF54720F58C12BE45AA7241DB30AE85B791

Function 00F844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FACC08), ref: 00F84527
_wcslen.LIBCMT ref: 00F8453B
_wcslen.LIBCMT ref: 00F84599
_wcslen.LIBCMT ref: 00F845F4
_wcslen.LIBCMT ref: 00F8463F
_wcslen.LIBCMT ref: 00F846A7

Part of subcall function 00F2F9F2: _wcslen.LIBCMT ref: 00F2F9FD

GetDriveTypeW.KERNEL32(?,00FD6BF0,00000061), ref: 00F84743

Strings

all, xrefs: 00F84531, 00F84536
ramdisk, xrefs: 00F846F1
network, xrefs: 00F8469D, 00F846A2
unknown, xrefs: 00F84708
cdrom, xrefs: 00F8458F, 00F84594
removable, xrefs: 00F845EA, 00F845EF
fixed, xrefs: 00F84635, 00F8463A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e4a2271a74b4ddcb24c26171fcf934f8cb266b64ef0056fe7653b0da92791193
Instruction ID: 404036e4343d82e98cf17e28d52183cef4561ba7425fa03278aa2460e64913c9
Opcode Fuzzy Hash: e4a2271a74b4ddcb24c26171fcf934f8cb266b64ef0056fe7653b0da92791193
Instruction Fuzzy Hash: D4B1C371A083029FC710EF28C890AAEF7E5AFA5770F54491DF496C7291E734E944EB92

Function 00F9AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B1D4
_wcslen.LIBCMT ref: 00F9B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B236
_wcslen.LIBCMT ref: 00F9B332

Part of subcall function 00F805A7: GetStdHandle.KERNEL32(000000F6), ref: 00F805C6

_wcslen.LIBCMT ref: 00F9B34B
_wcslen.LIBCMT ref: 00F9B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9B3B6
GetLastError.KERNEL32(00000000), ref: 00F9B407
CloseHandle.KERNEL32(?), ref: 00F9B439
CloseHandle.KERNEL32(00000000), ref: 00F9B44A
CloseHandle.KERNEL32(00000000), ref: 00F9B45C
CloseHandle.KERNEL32(00000000), ref: 00F9B46E
CloseHandle.KERNEL32(?), ref: 00F9B4E3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f4a7cdd6a7f12ca56ab36304443f61039e170163b228ee893345eb08220e4137
Instruction ID: 7b9c1318610bbe6d2a85cbebd2839c188a008bde75c972f9ebb69c1645e8a32f
Opcode Fuzzy Hash: f4a7cdd6a7f12ca56ab36304443f61039e170163b228ee893345eb08220e4137
Instruction Fuzzy Hash: EDF1B131A04300DFDB15EF24D991B6EBBE1AF85320F18855DF4998B2A2DB35EC44EB52

Function 00F1326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00FE1990), ref: 00F52F8D
GetMenuItemCount.USER32(00FE1990), ref: 00F5303D
GetCursorPos.USER32(?), ref: 00F53081
SetForegroundWindow.USER32(00000000), ref: 00F5308A
TrackPopupMenuEx.USER32(00FE1990,00000000,?,00000000,00000000,00000000), ref: 00F5309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F530A9

Strings

0, xrefs: 00F1327D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4e16844a7c178e18ad67374c82a73d79cd16bbc6bb94fbb213d6abdb41532b79
Instruction ID: 81eeddc469333f45d36843a05757f8f2fe0c603af70c3f80c141d5ccb96b254d
Opcode Fuzzy Hash: 4e16844a7c178e18ad67374c82a73d79cd16bbc6bb94fbb213d6abdb41532b79
Instruction Fuzzy Hash: 8C713A71A44245BFEB219F24DC49F9ABFA4FF02374F204206FA156A1E0C7B1A954F791

Function 00FA6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FA6DEB

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FA6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FA6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA6E94
DestroyWindow.USER32(?), ref: 00FA6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F10000,00000000), ref: 00FA6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA6EFD
GetDesktopWindow.USER32 ref: 00FA6F16
GetWindowRect.USER32(00000000), ref: 00FA6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FA6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FA6F4D

Part of subcall function 00F29944: GetWindowLongW.USER32(?,000000EB), ref: 00F29952

Strings

0, xrefs: 00FA6D98
tooltips_class32, xrefs: 00FA6E58, 00FA6EDD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 385985307de1dcf7814dd6551aa6130b74d4f894b79ac90a73e7fd2f8c8565fb
Instruction ID: 6f7d4fb1a0114a399359fa86b3ce862b3c98c5ad4f011fd587bf94efaeb56c3b
Opcode Fuzzy Hash: 385985307de1dcf7814dd6551aa6130b74d4f894b79ac90a73e7fd2f8c8565fb
Instruction Fuzzy Hash: D47179B4544244AFDB21CF18DC84FAABBE9FB8A314F08041EF999C72A1D770E905EB55

Function 00FA911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

DragQueryPoint.SHELL32(?,?), ref: 00FA9147

Part of subcall function 00FA7674: ClientToScreen.USER32(?,?), ref: 00FA769A
Part of subcall function 00FA7674: GetWindowRect.USER32(?,?), ref: 00FA7710
Part of subcall function 00FA7674: PtInRect.USER32(?,?,00FA8B89), ref: 00FA7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00FA91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FA91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FA91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FA9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00FA923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FA9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00FA9277
DragFinish.SHELL32(?), ref: 00FA927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FA9371

Strings

@GUI_DRAGID, xrefs: 00FA92E9
@GUI_DROPID, xrefs: 00FA929E
@GUI_DRAGFILE, xrefs: 00FA9320

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 2a0e7a0fc800a2c0cce6ca70cd4cd2cf499d7eb091815aee926d1067bc66321a
Instruction ID: 1a70944e28b011f1fca421284fadfb50a4d10318ecaf0dca1fa82740ffb4d68c
Opcode Fuzzy Hash: 2a0e7a0fc800a2c0cce6ca70cd4cd2cf499d7eb091815aee926d1067bc66321a
Instruction Fuzzy Hash: E7618CB1108305AFD701DF61DC85DAFBBE8EF89350F40092EF595932A1DB709A49EB92

Function 00F8C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F8C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F8C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F8C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F8C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F8C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F8C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F8C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F8C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F8C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F8C5F0
InternetCloseHandle.WININET(00000000), ref: 00F8C5FB

Strings

, xrefs: 00F8C575

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: aeee401ef33e8ee53f15c09bde4b998086b4d68e82897db1d934c44bf284eb1c
Instruction ID: bcc23adbcd20926d470808f06b6f1afd02702e98ea715769a6be0f6594e25456
Opcode Fuzzy Hash: aeee401ef33e8ee53f15c09bde4b998086b4d68e82897db1d934c44bf284eb1c
Instruction Fuzzy Hash: FF513BB1500609BFDB21AF64CD88AAB7BFCFF09754F04442AF9459A650DB34E944ABF0

Function 00FA856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00FA8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00FAFC38,?), ref: 00FA8611
GlobalFree.KERNEL32(00000000), ref: 00FA8621
GetObjectW.GDI32(?,00000018,?), ref: 00FA8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FA8671
DeleteObject.GDI32(?), ref: 00FA8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FA86AF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 710bf5596f95c80a35f809ee23af0078d98b6bfaf0666e47b141bc7ccaf27f45
Instruction ID: 4c809e1f8b512b85dd920138534b330748d67773749694eac6e11125a1b57655
Opcode Fuzzy Hash: 710bf5596f95c80a35f809ee23af0078d98b6bfaf0666e47b141bc7ccaf27f45
Instruction Fuzzy Hash: 9A41EBB5A00208AFDB11DFA5DC48EAA7BB8FF8A765F144158F905E7260DB709D01EB60

Function 00F814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00F81502
VariantCopy.OLEAUT32(?,?), ref: 00F8150B
VariantClear.OLEAUT32(?), ref: 00F81517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00F81657
VariantInit.OLEAUT32(?), ref: 00F81708
SysFreeString.OLEAUT32(?), ref: 00F8178C
VariantClear.OLEAUT32(?), ref: 00F817D8
VariantClear.OLEAUT32(?), ref: 00F817E7
VariantInit.OLEAUT32(00000000), ref: 00F81823

Strings

Default, xrefs: 00F816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00F81625

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: dad31c93ea2d1d67cc0c3871caffcf68adffffa1594e83785b246341261db938
Instruction ID: 9558716078b4b187d2938dde49a0e726e681bb3f0f7aff386e9dc3ed60b2db6f
Opcode Fuzzy Hash: dad31c93ea2d1d67cc0c3871caffcf68adffffa1594e83785b246341261db938
Instruction Fuzzy Hash: 55D11472A00115DBCB10AF65E885BFDB7B9BF46700F18825AE846AF180DB34DC46FB91

Function 00F9B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9C9F1
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA68
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F9B80A
RegCloseKey.ADVAPI32(?), ref: 00F9B87E
RegCloseKey.ADVAPI32(?), ref: 00F9B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F9B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F9B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F9B922
FreeLibrary.KERNEL32(00000000), ref: 00F9B983
RegCloseKey.ADVAPI32(00000000), ref: 00F9B994

Strings

RegDeleteKeyExW, xrefs: 00F9B8FE
advapi32.dll, xrefs: 00F9B8ED

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 80cb02ab0f99e3d998ad5e8b28db14751e479dce7fb2baeca1f7bfda4e2b03e9
Instruction ID: 47c9103f6c652a056837ee1600acc4f7460a1bf8ac615f2ec68c183d3e6c0385
Opcode Fuzzy Hash: 80cb02ab0f99e3d998ad5e8b28db14751e479dce7fb2baeca1f7bfda4e2b03e9
Instruction Fuzzy Hash: F7C1B130608201AFEB14DF14D994F2ABBE1FF84314F14855CF5598B2A2CB75EC86EB91

Function 00F9255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F925E8
CreateCompatibleDC.GDI32(?), ref: 00F925F4
SelectObject.GDI32(00000000,?), ref: 00F92601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F9266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F926D0
SelectObject.GDI32(?,?), ref: 00F926D8
DeleteObject.GDI32(?), ref: 00F926E1
DeleteDC.GDI32(?), ref: 00F926E8
ReleaseDC.USER32(00000000,?), ref: 00F926F3

Strings

(, xrefs: 00F9268D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7f34ee599ad2aa4d22eae2d48b3ed3e1bc8514e048a34fbf79159d3b604fde40
Instruction ID: 3c4fb677ca0d80825175077d6b9566ecd8918bc7780883f20fda1b975b90b2a0
Opcode Fuzzy Hash: 7f34ee599ad2aa4d22eae2d48b3ed3e1bc8514e048a34fbf79159d3b604fde40
Instruction Fuzzy Hash: D161D1B5E00219EFDF05CFA4D884AAEBBB5FF48310F208529E955A7250E774A941DFA0

Function 00F4DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F4DAA1

Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D659
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D66B
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D67D
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D68F
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6A1
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6B3
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6C5
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6D7
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6E9
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6FB
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D70D
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D71F
Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D731

_free.LIBCMT ref: 00F4DA96

Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0

_free.LIBCMT ref: 00F4DAB8
_free.LIBCMT ref: 00F4DACD
_free.LIBCMT ref: 00F4DAD8
_free.LIBCMT ref: 00F4DAFA
_free.LIBCMT ref: 00F4DB0D
_free.LIBCMT ref: 00F4DB1B
_free.LIBCMT ref: 00F4DB26
_free.LIBCMT ref: 00F4DB5E
_free.LIBCMT ref: 00F4DB65
_free.LIBCMT ref: 00F4DB82
_free.LIBCMT ref: 00F4DB9A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98cb1cca28a579ec4e89b6ef746939aaa3ca7305ddcf4104131d6788a87851f0
Instruction ID: 3586ab857309f4f7c1fc4e4ec15b1812f4078a282f56a6db7b615af6952802d6
Opcode Fuzzy Hash: 98cb1cca28a579ec4e89b6ef746939aaa3ca7305ddcf4104131d6788a87851f0
Instruction Fuzzy Hash: A7314C31A046059FEB61AA39EC45B567FE9FF40320F55442AF849D7292DB39AC40F720

Function 00F7365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F7369C
_wcslen.LIBCMT ref: 00F736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F73797
GetClassNameW.USER32(?,?,00000400), ref: 00F7380C
GetDlgCtrlID.USER32(?), ref: 00F7385D
GetWindowRect.USER32(?,?), ref: 00F73882
GetParent.USER32(?), ref: 00F738A0
ScreenToClient.USER32(00000000), ref: 00F738A7
GetClassNameW.USER32(?,?,00000100), ref: 00F73921
GetWindowTextW.USER32(?,?,00000400), ref: 00F7395D

Strings

%s%u, xrefs: 00F73734

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5cfd1b30b86c1b78e11f14f0ce40b31f89cd7eff9a4854b76b4a4640a63eebb6
Instruction ID: 5aba6cb1e8da2b7ea95e06d04d3097334557eb05928f02055ecc0d6331b60262
Opcode Fuzzy Hash: 5cfd1b30b86c1b78e11f14f0ce40b31f89cd7eff9a4854b76b4a4640a63eebb6
Instruction Fuzzy Hash: FA91B671604606BFD718DF24C885FAAB7A9FF44360F00C52AF99DD2190DB34EA45EB92

Function 00F74954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F74994
GetWindowTextW.USER32(?,?,00000400), ref: 00F749DA
_wcslen.LIBCMT ref: 00F749EB
CharUpperBuffW.USER32(?,00000000), ref: 00F749F7
_wcsstr.LIBVCRUNTIME ref: 00F74A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F74A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F74A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F74AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F74B20
GetWindowRect.USER32(?,?), ref: 00F74B8B

Strings

ThumbnailClass, xrefs: 00F74A6F, 00F74AF1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: fd462afc2adceb5787d759e2095d617546d8ef5d3eb0554578d643baccf2474f
Instruction ID: 0880e17c5a7f4c028f3155a1708d3f008fa03360c9947a13c3ccfb27fbdb8c0f
Opcode Fuzzy Hash: fd462afc2adceb5787d759e2095d617546d8ef5d3eb0554578d643baccf2474f
Instruction Fuzzy Hash: 0491B1714082059FDB05DF14C981FAA77E8FF84324F04846AFD899A196DB34FD45EBA2

Function 00FA8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FA8D5A
GetFocus.USER32 ref: 00FA8D6A
GetDlgCtrlID.USER32(00000000), ref: 00FA8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00FA8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FA8ECF
GetMenuItemCount.USER32(?), ref: 00FA8EEC
GetMenuItemID.USER32(?,00000000), ref: 00FA8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FA8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FA8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FA8FA1

Strings

0, xrefs: 00FA8E9F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 2432edef28e9c410bb8fdf028f2d818a41ba21b4d17134d5035479ff6469523d
Instruction ID: 42afa3136917475aa12328e2f702b8987ad22f2b7ac3855cbc9a448102c64540
Opcode Fuzzy Hash: 2432edef28e9c410bb8fdf028f2d818a41ba21b4d17134d5035479ff6469523d
Instruction Fuzzy Hash: D881A4B19043059FDB10CF14DC84AAB7BE9FF8A3A4F14051DF98597291DBB4D902EBA1

Function 00F7DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F7DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F7DC46
_wcslen.LIBCMT ref: 00F7DC50
_wcsstr.LIBVCRUNTIME ref: 00F7DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F7DCBC

Strings

04090000, xrefs: 00F7DCF2
DefaultLangCodepage, xrefs: 00F7DD1F
StringFileInfo\, xrefs: 00F7DC8F
%u.%u.%u.%u, xrefs: 00F7DD9A
\VarFileInfo\Translation, xrefs: 00F7DCB4

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: ff7e375f0129be6969b055fd7f22a226d373433fe573ca02bb68e4bcd9d5ad14
Instruction ID: 6b0ed2965f2e6405f05533485c59f8f3679a42ecbfec8e67d71d21a083cd9119
Opcode Fuzzy Hash: ff7e375f0129be6969b055fd7f22a226d373433fe573ca02bb68e4bcd9d5ad14
Instruction Fuzzy Hash: E14134729402157ADB15A770EC43EBF37BCEF42760F14406AF904E6182EB79E901B7A6

Function 00F9CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F9CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F9CD48

Part of subcall function 00F9CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F9CCAA
Part of subcall function 00F9CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F9CCBD
Part of subcall function 00F9CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F9CCCF
Part of subcall function 00F9CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F9CD05
Part of subcall function 00F9CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F9CCF3

Strings

RegDeleteKeyExW, xrefs: 00F9CCC9
advapi32.dll, xrefs: 00F9CCB8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b82069c6fdd9f5c61a31fbdb1b0740f6ad0c8fe68e6c6918f4445b93b8833f77
Instruction ID: e8554f296e45f2a20230f9b58194ec5fe7f354c412c65bd1c687b791bb5f6e82
Opcode Fuzzy Hash: b82069c6fdd9f5c61a31fbdb1b0740f6ad0c8fe68e6c6918f4445b93b8833f77
Instruction Fuzzy Hash: CC317CB1E0112CBBEB219B51DC88EFFBB7CEF46754F000166E915E2240DA349A45BAE0

Function 00F83D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F83D40
_wcslen.LIBCMT ref: 00F83D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F83D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F83DBE
RemoveDirectoryW.KERNEL32(?), ref: 00F83DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F83E55
CloseHandle.KERNEL32(00000000), ref: 00F83E60
CloseHandle.KERNEL32(00000000), ref: 00F83E6B

Strings

\??\%s, xrefs: 00F83D5B
:, xrefs: 00F83D82
\, xrefs: 00F83D77

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 2aa84ec1d4ec72200868d37879f6a93b07a99ffa0ddbf0086382671babf27f1e
Instruction ID: 483b35fc86122e7f95dc493a6c9c56d4d64b9fd2ddd0f1dae65efea304916fcf
Opcode Fuzzy Hash: 2aa84ec1d4ec72200868d37879f6a93b07a99ffa0ddbf0086382671babf27f1e
Instruction Fuzzy Hash: 0E31B4B290021DABDB21ABA0DC49FEF37BCEF89B10F1040B5F505D6160EB7497459B64

Function 00F7E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F7E6B4

Part of subcall function 00F2E551: timeGetTime.WINMM(?,?,00F7E6D4), ref: 00F2E555

Sleep.KERNEL32(0000000A), ref: 00F7E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F7E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F7E727
SetActiveWindow.USER32 ref: 00F7E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F7E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F7E773
Sleep.KERNEL32(000000FA), ref: 00F7E77E
IsWindow.USER32 ref: 00F7E78A
EndDialog.USER32(00000000), ref: 00F7E79B

Strings

BUTTON, xrefs: 00F7E719

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f2763c31184d8c95fda7ce35813934990032b0447ea36d0cdf558e1d4b858ccb
Instruction ID: 2c66ca367aed65fd7ec69a7dd8f94155daf91080069e576fc7531ff70edfed6a
Opcode Fuzzy Hash: f2763c31184d8c95fda7ce35813934990032b0447ea36d0cdf558e1d4b858ccb
Instruction Fuzzy Hash: 0C21A4B120024CAFEF005F24ECC9E253B6DF759358B148467F51D862B1EBB5AC00BA66

Function 00F7E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F7EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F7EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F7EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F7EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F7EAA7

Strings

open , xrefs: 00F7EA0C
close PlayMe, xrefs: 00F7EA6E, 00F7EA9B
play PlayMe, xrefs: 00F7EAA2
alias PlayMe, xrefs: 00F7EA36
status PlayMe mode, xrefs: 00F7EA58
play PlayMe wait, xrefs: 00F7EA91

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b1e3dc930cb34f969830b8a6a6aa4b72c18333283454d12ccf455e50283528c3
Instruction ID: ae21b7e5d1488ad26d033c179f5202062688c5dd07dc995aa7644f9405788e2a
Opcode Fuzzy Hash: b1e3dc930cb34f969830b8a6a6aa4b72c18333283454d12ccf455e50283528c3
Instruction Fuzzy Hash: 2B11A331A5021979E720A7A1DC5ADFF7B7CEBD5B10F44042BB811E20D0EEB45945E5B3

Function 00F75CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F75CE2
GetWindowRect.USER32(00000000,?), ref: 00F75CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F75D59
GetDlgItem.USER32(?,00000002), ref: 00F75D69
GetWindowRect.USER32(00000000,?), ref: 00F75D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F75DCF
GetDlgItem.USER32(?,000003E9), ref: 00F75DDD
GetWindowRect.USER32(00000000,?), ref: 00F75DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F75E31
GetDlgItem.USER32(?,000003EA), ref: 00F75E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F75E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F75E67

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: dd5fc85f656487f4b9a02a602d2ffca6d2b86695b3b6e4037111fb564d465db0
Instruction ID: 20723c6aa33528cb24800145e60f7196820ce517b93f52c40a2d7e1aeea0d83e
Opcode Fuzzy Hash: dd5fc85f656487f4b9a02a602d2ffca6d2b86695b3b6e4037111fb564d465db0
Instruction Fuzzy Hash: 3151FDB1E00609AFDF18CF68DD89AAEBBB5FB48710F148129F519E7290D7709E04DB91

Function 00F28BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F28BE8,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F28FC5

DestroyWindow.USER32(?), ref: 00F28C81
KillTimer.USER32(00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F28D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F66973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F28BBA,00000000), ref: 00F669D4
DeleteObject.GDI32(00000000), ref: 00F669E6

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 71a07e1f97c80ca1ecd0b84a38c7903ca708c0f0be3fb107785658bdc0e561fd
Instruction ID: 693329cc880dd042a12cde1355d877f349e7029ac7ac17358a3c95f5d2aaa993
Opcode Fuzzy Hash: 71a07e1f97c80ca1ecd0b84a38c7903ca708c0f0be3fb107785658bdc0e561fd
Instruction Fuzzy Hash: D861CD31902668DFDB259F25EA88B29B7F1FB41362F14851DE0429B560CB35AD82FF90

Function 00F29838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F29944: GetWindowLongW.USER32(?,000000EB), ref: 00F29952

GetSysColor.USER32(0000000F), ref: 00F29862

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d1eab0cbd18c765409f24ddde9dc467e52fb477c3ea16ced3e9f7dd6ab0d1634
Instruction ID: 19da1f8c25153c4cf7d2b4f39bb38598868697d8216c51a6bfdfedda8ffea445
Opcode Fuzzy Hash: d1eab0cbd18c765409f24ddde9dc467e52fb477c3ea16ced3e9f7dd6ab0d1634
Instruction Fuzzy Hash: 4E41C4719086549FDB209F38AC88BF93BA5EB17330F584655F9A2872E2C7719C42FB50

Function 00F796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F79717
LoadStringW.USER32(00000000,?,00F5F7F8,00000001), ref: 00F79720

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F79742
LoadStringW.USER32(00000000,?,00F5F7F8,00000001), ref: 00F79745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F79866

Strings

Line %d:, xrefs: 00F797A0
Line %d (File "%s"):, xrefs: 00F7978F
^ ERROR, xrefs: 00F797FB
Error: , xrefs: 00F7981D
%s (%d) : ==> %s: %s %s, xrefs: 00F7984A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: fb3179be6bd7f989455cbab185ba3f76b36ad2858b0a9b2ac4c33d299d00b1bd
Instruction ID: e8f3fc8f8e0d2073ad2b8631416c4659e5dc8dd93420a0df7f78697d1609108a
Opcode Fuzzy Hash: fb3179be6bd7f989455cbab185ba3f76b36ad2858b0a9b2ac4c33d299d00b1bd
Instruction Fuzzy Hash: BB419672804219AACF04FBE0DD52DEE7378EF15350F504026F605B2092EB796F88EBA1

Function 00F706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F70804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F7082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F70837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F7083C

Strings

\IPC$, xrefs: 00F70784
SOFTWARE\Classes\, xrefs: 00F7070E
\CLSID, xrefs: 00F70724

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 147ae6c7a8d7eeb7f304956b7eb576a5b46015a6cbe3dc20bf8e35110147732e
Instruction ID: 401679189a025698e2787f294fd9a6a4b42b6f882ee1fde958302dd701821928
Opcode Fuzzy Hash: 147ae6c7a8d7eeb7f304956b7eb576a5b46015a6cbe3dc20bf8e35110147732e
Instruction Fuzzy Hash: 57411872C10229EBCF15EBA4DC95CEDB778BF04750F44812AE905A3161EB74AE44EB91

Function 00F93C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F93C5C
CoInitialize.OLE32(00000000), ref: 00F93C8A
CoUninitialize.OLE32 ref: 00F93C94
_wcslen.LIBCMT ref: 00F93D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F93DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F93ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F93F0E
CoGetObject.OLE32(?,00000000,00FAFB98,?), ref: 00F93F2D
SetErrorMode.KERNEL32(00000000), ref: 00F93F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F93FC4
VariantClear.OLEAUT32(?), ref: 00F93FD8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 79873f2a8aae80326f6f7c4ce53d3a2ac0940e91cd1b7631a34e04f3902f1009
Instruction ID: 0c16f0b591482791b3e553c6de31969531d24a3e1dc8bd011d5b2e4b5cd7d7a8
Opcode Fuzzy Hash: 79873f2a8aae80326f6f7c4ce53d3a2ac0940e91cd1b7631a34e04f3902f1009
Instruction Fuzzy Hash: 58C147716083059FDB00DF68C88492BB7E9FF89758F00491DF98A9B250DB31EE45DB92

Function 00F87A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F87AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F87B8F
SHGetDesktopFolder.SHELL32(?), ref: 00F87BA3
CoCreateInstance.OLE32(00FAFD08,00000000,00000001,00FD6E6C,?), ref: 00F87BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F87C74
CoTaskMemFree.OLE32(?,?), ref: 00F87CCC
SHBrowseForFolderW.SHELL32(?), ref: 00F87D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F87D7A
CoTaskMemFree.OLE32(00000000), ref: 00F87D81
CoTaskMemFree.OLE32(00000000), ref: 00F87DD6
CoUninitialize.OLE32 ref: 00F87DDC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fb51686ed5e7b731dd00960ca48d3efc84b7879ea2d4c35d3e7b277b5d4cdd46
Instruction ID: 7668f9e2d62ae3e3e7aaf1bee10aec43d2825f789c39a8cca2eb7006d0b64f9f
Opcode Fuzzy Hash: fb51686ed5e7b731dd00960ca48d3efc84b7879ea2d4c35d3e7b277b5d4cdd46
Instruction Fuzzy Hash: 61C13C75A04209AFCB14EFA4C884DAEBBF9FF49314B148499E819DB361D734EE41DB90

Function 00FA541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FA5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA5515
CharNextW.USER32(00000158), ref: 00FA5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FA5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FA559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA55AC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: b608b328989b13a9b1395224062f965a1f2f6bb7943005e9580c7807ca4569a2
Instruction ID: 21150df50cbd2ea1e9cccd6ff8521dc08e8cc868c4022360ed0dcc5f65ec9ba2
Opcode Fuzzy Hash: b608b328989b13a9b1395224062f965a1f2f6bb7943005e9580c7807ca4569a2
Instruction Fuzzy Hash: AC617AB5900608EFDF10DF54CC84AFE7BB9EF0BB24F144145F925AA290D7749A80EBA1

Function 00F6FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F6FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F6FB08
VariantInit.OLEAUT32(?), ref: 00F6FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F6FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F6FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F6FBA1
VariantClear.OLEAUT32(?), ref: 00F6FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F6FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F6FBCC
VariantClear.OLEAUT32(?), ref: 00F6FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F6FBE9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3eb6bd866d19b38830bae574ee011d9845f806be38ca6f16e48113a3b58ad32b
Instruction ID: 8cea5bf8569c71aa4b6d4d9bd912986544dd6214946e79738b6841291cd7cf25
Opcode Fuzzy Hash: 3eb6bd866d19b38830bae574ee011d9845f806be38ca6f16e48113a3b58ad32b
Instruction Fuzzy Hash: BF414E75A00219DFCB00DFA8DC549EEBBB9FF49354F008069E956A7261CB34E945EBA0

Function 00F79C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F79CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F79D22
GetKeyState.USER32(000000A0), ref: 00F79D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F79D57
GetKeyState.USER32(000000A1), ref: 00F79D6C
GetAsyncKeyState.USER32(00000011), ref: 00F79D84
GetKeyState.USER32(00000011), ref: 00F79D96
GetAsyncKeyState.USER32(00000012), ref: 00F79DAE
GetKeyState.USER32(00000012), ref: 00F79DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F79DD8
GetKeyState.USER32(0000005B), ref: 00F79DEA

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8c1073041c1dd52d0568cc73f5d9ac12e4f63fc1092c4ba03e11c064733c484a
Instruction ID: 32b0c06d9391f8406750dbd87ea491eeb917cbd1026672604f9a4580f8fdb7a0
Opcode Fuzzy Hash: 8c1073041c1dd52d0568cc73f5d9ac12e4f63fc1092c4ba03e11c064733c484a
Instruction Fuzzy Hash: 8C41D874D0C7CA6DFF31876484043B5BEA06B12364F08C05BDACA566C2EBE499C4E7A3

Function 00F9055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F905BC
inet_addr.WSOCK32(?), ref: 00F9061C
gethostbyname.WSOCK32(?), ref: 00F90628
IcmpCreateFile.IPHLPAPI ref: 00F90636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F907B9
WSACleanup.WSOCK32 ref: 00F907BF

Strings

Ping, xrefs: 00F90676

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2ae32068d3f1a0b930882ff1d5cb826e90f8921ce7dd325bb17aa74fea0ee0a2
Instruction ID: 12e2d03363fbf8cef500e97e57f73fb2a3221813eb086b965ea12ff4c7011f47
Opcode Fuzzy Hash: 2ae32068d3f1a0b930882ff1d5cb826e90f8921ce7dd325bb17aa74fea0ee0a2
Instruction Fuzzy Hash: 57919175A042019FEB10CF15C888F16BBE0AF44328F1585A9F4698B6A2CB34FC45DF92

Function 00F98CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F98CF3

Part of subcall function 00F78E54: _wcslen.LIBCMT ref: 00F78E77

_wcslen.LIBCMT ref: 00F98D4E
_wcslen.LIBCMT ref: 00F98D9C
_wcslen.LIBCMT ref: 00F98DDC
_wcslen.LIBCMT ref: 00F98E6E

Strings

stdcall, xrefs: 00F98DD6, 00F98DDB
none, xrefs: 00F98E65, 00F98E6A
winapi, xrefs: 00F98D96, 00F98D9B
cdecl, xrefs: 00F98D48, 00F98D4D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5c3f110b33cc30d78fb69ffad6749dcc7ab0f888d2f59645d18575913084aa82
Instruction ID: e41939aa086541f6f1e3d560f1090c729afbc6e2192dce7d92c9b85b7af66a52
Opcode Fuzzy Hash: 5c3f110b33cc30d78fb69ffad6749dcc7ab0f888d2f59645d18575913084aa82
Instruction Fuzzy Hash: 0851B332E001169BDF14EFA8C8509BEB7A5BF663B0B24422AE416E72C4DB35DD41E790

Function 00F9372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F93774
CoUninitialize.OLE32 ref: 00F9377F
CoCreateInstance.OLE32(?,00000000,00000017,00FAFB78,?), ref: 00F937D9
IIDFromString.OLE32(?,?), ref: 00F9384C
VariantInit.OLEAUT32(?), ref: 00F938E4
VariantClear.OLEAUT32(?), ref: 00F93936

Strings

Invalid parameter, xrefs: 00F93865
NULL Pointer assignment, xrefs: 00F9381E
Failed to create object, xrefs: 00F937E4, 00F9389A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 484cd092a8a294d9f5654280ed03601c6819937100a538bfad4866d684f09012
Instruction ID: a7f8bfe8f97b7fc21370cb19ac6f373993c8e2df281d610031893ae0de2c4240
Opcode Fuzzy Hash: 484cd092a8a294d9f5654280ed03601c6819937100a538bfad4866d684f09012
Instruction Fuzzy Hash: B661A1B2608311AFE711DF54C848F6ABBE8EF49710F044809F9859B291D774EE48EB93

Function 00F83388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F833CF

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F833F0

Strings

^ ERROR , xrefs: 00F8349E
Incorrect parameters to object property !, xrefs: 00F834AB
Line %d (File "%s"):, xrefs: 00F83443, 00F8345C
Error: , xrefs: 00F834D1
"%s" (%d) : ==> %s:, xrefs: 00F83522
"%s" (%d) : ==> %s:%s%s, xrefs: 00F83504

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 752b2c93a56c4d7d5cc5d126f03f429c74b52143e9b4a24290d6c8fbf77e11c5
Instruction ID: 2692307d57edf32ec1436b688cc34cd218fa2824298c51ab6c806d3df3162415
Opcode Fuzzy Hash: 752b2c93a56c4d7d5cc5d126f03f429c74b52143e9b4a24290d6c8fbf77e11c5
Instruction Fuzzy Hash: 4951B371C0020AAADF14EBA0DD42EEEB379AF04740F144066F505B2161EB796F98FB61

Function 00F7B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F7B5FC
_wcslen.LIBCMT ref: 00F7B608
_wcslen.LIBCMT ref: 00F7B64D
_wcslen.LIBCMT ref: 00F7B68C
_wcslen.LIBCMT ref: 00F7B6C7

Strings

APPEND, xrefs: 00F7B6C1, 00F7B6C6
EXISTS, xrefs: 00F7B686, 00F7B68B
KEYS, xrefs: 00F7B647, 00F7B64C
REMOVE, xrefs: 00F7B602, 00F7B607

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4ca3a491c1a7657c115504904de9990e213366f8e9aa9614be9d5f2fe7f01942
Instruction ID: f1f50f1d8d44656d90cf8beda60bb62c31ec6678e1d561518d252bff0dbd4ef0
Opcode Fuzzy Hash: 4ca3a491c1a7657c115504904de9990e213366f8e9aa9614be9d5f2fe7f01942
Instruction Fuzzy Hash: 87412B32E0002A9BCB105F7DCC907BE77A1AF62774B24816BE629D7284E735CD81E791

Function 00F85393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F85416
GetLastError.KERNEL32 ref: 00F85420
SetErrorMode.KERNEL32(00000000,READY), ref: 00F854A7

Strings

UNKNOWN, xrefs: 00F85444
READY, xrefs: 00F85460, 00F85468
READONLY, xrefs: 00F85452
NOTREADY, xrefs: 00F8544B
INVALID, xrefs: 00F85459

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 36fc99c8e529513dd42fdcdae63c65f8dadf23f363f48acd03f29ce50d8ee4cd
Instruction ID: 42f97ba918a4bc2e8a3441be12fcbce5e61a54d4c28cec2af4f34f738638d399
Opcode Fuzzy Hash: 36fc99c8e529513dd42fdcdae63c65f8dadf23f363f48acd03f29ce50d8ee4cd
Instruction Fuzzy Hash: 7131CE75A002049FDB10EF68C894BEABBB5EF45715F188066E405CB392DB71ED82EB90

Function 00FA3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FA3C79
SetMenu.USER32(?,00000000), ref: 00FA3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA3D10
IsMenu.USER32(?), ref: 00FA3D24
CreatePopupMenu.USER32 ref: 00FA3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA3D5B
DrawMenuBar.USER32 ref: 00FA3D63

Strings

0, xrefs: 00FA3C54
F, xrefs: 00FA3D4E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 60fb384dff5ee55b9aaaa869f3cadb45d3c0d699147767ee63f8051ec6da3bfe
Instruction ID: 6ec3d12110354ffb4bf51d2ed8593c3bb97b76de9ef760408f1aff4b28868d5c
Opcode Fuzzy Hash: 60fb384dff5ee55b9aaaa869f3cadb45d3c0d699147767ee63f8051ec6da3bfe
Instruction Fuzzy Hash: 94412CB5A01209EFDB14CF65D884AEA7BF5FF4A360F140029F946A7360D771AA10EF94

Function 00F71EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F71F64
GetDlgCtrlID.USER32 ref: 00F71F6F
GetParent.USER32 ref: 00F71F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F71F8E
GetDlgCtrlID.USER32(?), ref: 00F71F97
GetParent.USER32(?), ref: 00F71FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F71FAE

Strings

ListBox, xrefs: 00F71F21
ComboBox, xrefs: 00F71EEC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1a7772f24803a21aebe6d7a906a3f4bdfcd9cc50e84d11f5acd83737727071db
Instruction ID: c65171eddec61e28ab29ab3766557e58e09644b67d2b935a27f8c17ed24f9311
Opcode Fuzzy Hash: 1a7772f24803a21aebe6d7a906a3f4bdfcd9cc50e84d11f5acd83737727071db
Instruction Fuzzy Hash: 4B21F275D00218BBCF11EFA4CC85EEEBBB8EF06350B004106F96963291CB785908FBA1

Function 00FA3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FA3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FA3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00FA3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FA3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FA3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FA3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FA3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FA3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FA3C13

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 11d41af3b5a41cef9458f4769af9a74e78f348b4196e2948f1a14535a42d4487
Instruction ID: 1222fc9026a4e604a5fd9e090c031b9ac4b4032fc562c5c9ae34ad81929af061
Opcode Fuzzy Hash: 11d41af3b5a41cef9458f4769af9a74e78f348b4196e2948f1a14535a42d4487
Instruction Fuzzy Hash: 3C616DB5900248AFDB10DF64CC81EEE77F8EF49710F104159FA15A7291D774AE45EB60

Function 00F7B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F7B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B165
GetWindowThreadProcessId.USER32(00000000), ref: 00F7B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F7B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B21D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2b66953516b97643abfe7d5568284e63b54a7bdb2435018a56a5fcb05043c3f0
Instruction ID: 3870d3705b660a1b085a29802e778df11fa02e33e04fe26189388608cf1499ea
Opcode Fuzzy Hash: 2b66953516b97643abfe7d5568284e63b54a7bdb2435018a56a5fcb05043c3f0
Instruction Fuzzy Hash: 613152B590020CAFDB119F64EC8CB6D7B6AAB52325F108416FA09DB251D7B49E40EF61

Function 00F42C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F42C94

Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0

_free.LIBCMT ref: 00F42CA0
_free.LIBCMT ref: 00F42CAB
_free.LIBCMT ref: 00F42CB6
_free.LIBCMT ref: 00F42CC1
_free.LIBCMT ref: 00F42CCC
_free.LIBCMT ref: 00F42CD7
_free.LIBCMT ref: 00F42CE2
_free.LIBCMT ref: 00F42CED
_free.LIBCMT ref: 00F42CFB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2337b247769be4598e2d75ca982d5684056cd83d57d1d353aa74cbeb1278ca71
Instruction ID: 50d89c94f672c55486e5a8f1f38975aac1ef9fe930be2da2c9424129e5a29290
Opcode Fuzzy Hash: 2337b247769be4598e2d75ca982d5684056cd83d57d1d353aa74cbeb1278ca71
Instruction Fuzzy Hash: 1B119276500108AFDB82EF59DC82CDD3FB5FF05350F9144A5FA489B222DA35EA50BB90

Function 00F11410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F11459
OleUninitialize.OLE32(?,00000000), ref: 00F114F8
UnregisterHotKey.USER32(?), ref: 00F116DD
DestroyWindow.USER32(?), ref: 00F524B9
FreeLibrary.KERNEL32(?), ref: 00F5251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F5254B

Strings

close all, xrefs: 00F11454

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a09485bc29fa613e2dc59eea942485db1f33dc53344c7d0e3a51c739d71456f0
Instruction ID: d365b8062d66e0158282e28843e69154f23b369d829c24d3ad0afc033ed68b9c
Opcode Fuzzy Hash: a09485bc29fa613e2dc59eea942485db1f33dc53344c7d0e3a51c739d71456f0
Instruction Fuzzy Hash: F0D1D531701212CFCB19EF14C895B69F7A0BF06711F1442ADEA4A6B252DB31EC56EF91

Function 00F87DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F87FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F87FC1
GetFileAttributesW.KERNEL32(?), ref: 00F87FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F88005
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88017
SetCurrentDirectoryW.KERNEL32(?), ref: 00F88060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F880B0

Strings

*.*, xrefs: 00F88066

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: bf5d729aad3b10327ecd31261d7c0aee4d94d72680356fa375f67ef3511965e6
Instruction ID: 51c55b71b6b35d3c329c2ca4d2d4b92c7303e0cf8a73c2396559902d16b83e78
Opcode Fuzzy Hash: bf5d729aad3b10327ecd31261d7c0aee4d94d72680356fa375f67ef3511965e6
Instruction Fuzzy Hash: BE81B3729083459BCB20FF14C844AEAB7E8BF85360F64485EF489C7250DB74DD45AB92

Function 00F15BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F15C7A

Part of subcall function 00F15D0A: GetClientRect.USER32(?,?), ref: 00F15D30
Part of subcall function 00F15D0A: GetWindowRect.USER32(?,?), ref: 00F15D71
Part of subcall function 00F15D0A: ScreenToClient.USER32(?,?), ref: 00F15D99

GetDC.USER32 ref: 00F546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F54708
SelectObject.GDI32(00000000,00000000), ref: 00F54716
SelectObject.GDI32(00000000,00000000), ref: 00F5472B
ReleaseDC.USER32(?,00000000), ref: 00F54733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F547C4

Strings

U, xrefs: 00F54693

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0c865bc0d30626c0bb98891d74ef05b6497d8fe41ff9051002a36d34635f9d95
Instruction ID: 0d58f731dd47426bdb570cab8a0eae3313b0473fb61617af4f35eb6e879134e2
Opcode Fuzzy Hash: 0c865bc0d30626c0bb98891d74ef05b6497d8fe41ff9051002a36d34635f9d95
Instruction Fuzzy Hash: 8B71F535900209DFCF218F64D984AFA7BB1FF4A32AF144265EE555A266C730A8C5FF90

Function 00F8359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F835E4

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

LoadStringW.USER32(00FE2390,?,00000FFF,?), ref: 00F8360A

Strings

Line %d (File "%s"):, xrefs: 00F8366B
^ ERROR, xrefs: 00F836C9
Error: , xrefs: 00F836EF
"%s" (%d) : ==> %s:, xrefs: 00F83742
"%s" (%d) : ==> %s:%s%s, xrefs: 00F83724

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 21d43b33729142ca470d9293dc41762695543d09d0f1b67708b907f637034f57
Instruction ID: be97b96756309282af49035d2fd66add8d5db7791ed5c93c3df80b46e70d8bb2
Opcode Fuzzy Hash: 21d43b33729142ca470d9293dc41762695543d09d0f1b67708b907f637034f57
Instruction Fuzzy Hash: 89518E72C0421ABADF14EBA0CC42EEDBB39AF04710F044125F505721A1EB746AD8FFA1

Function 00FA8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

Part of subcall function 00F2912D: GetCursorPos.USER32(?), ref: 00F29141
Part of subcall function 00F2912D: ScreenToClient.USER32(00000000,?), ref: 00F2915E
Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000001), ref: 00F29183
Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000002), ref: 00F2919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00FA8B6B
ImageList_EndDrag.COMCTL32 ref: 00FA8B71
ReleaseCapture.USER32 ref: 00FA8B77
SetWindowTextW.USER32(?,00000000), ref: 00FA8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FA8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00FA8CFF

Strings

@GUI_DROPID, xrefs: 00FA8C51
@GUI_DRAGFILE, xrefs: 00FA8C9A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 65a01b5e48a8e218c196fc985003b30138847260084954971a2933e7a63fe4d4
Instruction ID: c8ca6a881a8ee91ba4e3e03c0d6ae0073af0ce39564d8f8ea29cac7ef9f474ce
Opcode Fuzzy Hash: 65a01b5e48a8e218c196fc985003b30138847260084954971a2933e7a63fe4d4
Instruction Fuzzy Hash: 4851ADB0504304AFD700DF10DC95FAE77E4FB85760F000529F992672A2CBB49944EBA2

Function 00F8C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F8C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F8C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F8C2CA
GetLastError.KERNEL32 ref: 00F8C322
SetEvent.KERNEL32(?), ref: 00F8C336
InternetCloseHandle.WININET(00000000), ref: 00F8C341

Strings

, xrefs: 00F8C2BB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3fe1d2ea89e75d68e78e8246fcdeb07d218786bcfb25379e9ccc04c93035c3df
Instruction ID: 714dd90837772956a3d3404a23e38a72d9929877cbb48e739d64bb3b9d3d035d
Opcode Fuzzy Hash: 3fe1d2ea89e75d68e78e8246fcdeb07d218786bcfb25379e9ccc04c93035c3df
Instruction Fuzzy Hash: D5317FB1600608AFDB21AF649C88AAB7BFCEB49754F10851EF446D2240DB34DD05ABF0

Function 00F7989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F53AAF,?,?,Bad directive syntax error,00FACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F798BC
LoadStringW.USER32(00000000,?,00F53AAF,?), ref: 00F798C3

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F79987

Strings

Error: , xrefs: 00F79955
Line %d:, xrefs: 00F79912
%s (%d) : ==> %s.: %s %s, xrefs: 00F798F1
Line %d (File "%s"):, xrefs: 00F7992D
., xrefs: 00F7996D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e4f44725efdc2c09d1d3c904d795f9f0029ad664f034069956ba3686f32ca79a
Instruction ID: db42e77c774a8c1a0842bddf2ed0c853a8395acbe85149a68313d59a22c40664
Opcode Fuzzy Hash: e4f44725efdc2c09d1d3c904d795f9f0029ad664f034069956ba3686f32ca79a
Instruction Fuzzy Hash: 42217E3280421AABDF15EF90CC06EEE7775BF19310F04442AF619621A2EB75A658FB51

Function 00F7209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F7214D

Strings

SHELLDLL_DefView, xrefs: 00F720CC
list, xrefs: 00F7212F
smallicons, xrefs: 00F72115
details, xrefs: 00F720FB
largeicons, xrefs: 00F720E1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 90ae2ed4905c94e3ea93488351d874d461c8b52ba792fb6b2aa99da4529a4536
Instruction ID: c3bbc7e06e42e0d832aee4f0ac25d8ceb86960508054cbef80a915ea4005ba6b
Opcode Fuzzy Hash: 90ae2ed4905c94e3ea93488351d874d461c8b52ba792fb6b2aa99da4529a4536
Instruction Fuzzy Hash: 1111E97B688706B9FA016620DC07DA6379CEB05734F604117FB0CA51E1FEA9B8417656

Function 00F4CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F4CEB7
_free.LIBCMT ref: 00F4CF22
_free.LIBCMT ref: 00F4CF48
_free.LIBCMT ref: 00F4CF71
_free.LIBCMT ref: 00F4CFA9
_free.LIBCMT ref: 00F4CFDA
_free.LIBCMT ref: 00F4D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F4D09C
_free.LIBCMT ref: 00F4D0B5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c385ea840021b6a440a0c1c1a539080dd4d9c7a44316849bfeb5edd81435e90c
Instruction ID: 8be7226bd2e11d309ba56f3686e71ee009a97539dc19054977cb85148f77a549
Opcode Fuzzy Hash: c385ea840021b6a440a0c1c1a539080dd4d9c7a44316849bfeb5edd81435e90c
Instruction Fuzzy Hash: 83612571E05244ABDB61AFB89C81A6A7FA5EF05330F04416DFD409B282EF399D44B7B0

Function 00FA50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FA5186
ShowWindow.USER32(?,00000000), ref: 00FA51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FA51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FA51D1

Part of subcall function 00FA6FBA: DeleteObject.GDI32(00000000), ref: 00FA6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00FA520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FA524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FA5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FA5296

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4bfbd4b75a4fafad8e70f70ddcecede246582391e7aa4704088f81f2ce0d45b9
Instruction ID: e769735fc55bc24260076a5cc4b512e7c82d78de13c2e087ca2c7c3547e5d018
Opcode Fuzzy Hash: 4bfbd4b75a4fafad8e70f70ddcecede246582391e7aa4704088f81f2ce0d45b9
Instruction Fuzzy Hash: 335190B1A50A08BEEF349F64DC4ABE93BA5FB07B25F144011F6159A2E1C775A980FB40

Function 00F28B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F66890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F28874,00000000,00000000,00000000,000000FF,00000000), ref: 00F66901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F6691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F28874,00000000,00000000,00000000,000000FF,00000000), ref: 00F6692D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bbdc44520502d36258a9be22fa31298813bfa829ff4435fa6795eddeb6358c68
Instruction ID: 887fb32b590e6a9c1f02fc2d77faa146c2cfe36669c2745731ac09dfaf63f3a1
Opcode Fuzzy Hash: bbdc44520502d36258a9be22fa31298813bfa829ff4435fa6795eddeb6358c68
Instruction Fuzzy Hash: BB5179B0A00209AFDB20CF25DC95FAA7BB5FF88760F104519F916D72A0DB70E991EB50

Function 00F8C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F8C182
GetLastError.KERNEL32 ref: 00F8C195
SetEvent.KERNEL32(?), ref: 00F8C1A9

Part of subcall function 00F8C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F8C272
Part of subcall function 00F8C253: GetLastError.KERNEL32 ref: 00F8C322
Part of subcall function 00F8C253: SetEvent.KERNEL32(?), ref: 00F8C336
Part of subcall function 00F8C253: InternetCloseHandle.WININET(00000000), ref: 00F8C341

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 453e02b95e3f5ac65dbf01ff9ca1fdb3dbbd64187f02c1b0d3ff6592eb169245
Instruction ID: f1bee96bd8ed9f698e5b388b8166888d93c12535f186360e8d3b3665c9947b6f
Opcode Fuzzy Hash: 453e02b95e3f5ac65dbf01ff9ca1fdb3dbbd64187f02c1b0d3ff6592eb169245
Instruction Fuzzy Hash: 3D3180B1500605AFDB21AFB5DC44AA6BBF8FF19310B00441DF95682660DB35E814BBF0

Function 00F725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73A57
Part of subcall function 00F73A3D: GetCurrentThreadId.KERNEL32 ref: 00F73A5E
Part of subcall function 00F73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F725B3), ref: 00F73A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F72601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F72605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F7260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F72623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F72627

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: fcdfe46a15eace38c18286515297db68d15f4388ad07d566153e180714d16f1f
Instruction ID: 0103ebe7966df56a01e725198c7ae714967b8a62b7327e0e3c811e88df6041e7
Opcode Fuzzy Hash: fcdfe46a15eace38c18286515297db68d15f4388ad07d566153e180714d16f1f
Instruction Fuzzy Hash: C801D471390214BBFB1067699C8AF593F69DB4EB12F104006F318AE1D1C9F22445AAAA

Function 00F71803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F71449,?,?,00000000), ref: 00F7180C
HeapAlloc.KERNEL32(00000000,?,00F71449,?,?,00000000), ref: 00F71813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F71449,?,?,00000000), ref: 00F71828
GetCurrentProcess.KERNEL32(?,00000000,?,00F71449,?,?,00000000), ref: 00F71830
DuplicateHandle.KERNEL32(00000000,?,00F71449,?,?,00000000), ref: 00F71833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F71449,?,?,00000000), ref: 00F71843
GetCurrentProcess.KERNEL32(00F71449,00000000,?,00F71449,?,?,00000000), ref: 00F7184B
DuplicateHandle.KERNEL32(00000000,?,00F71449,?,?,00000000), ref: 00F7184E
CreateThread.KERNEL32(00000000,00000000,00F71874,00000000,00000000,00000000), ref: 00F71868

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 365aa92c231d043644f68200c0cb88fa6f828803c2c4824537a9a018a3a70120
Instruction ID: 28a819be54d583c1865336f2e088798c497c78679083e1733c3522d3fbb1aac0
Opcode Fuzzy Hash: 365aa92c231d043644f68200c0cb88fa6f828803c2c4824537a9a018a3a70120
Instruction Fuzzy Hash: 9C01BBB5340308BFE710ABA5DC4DF6B3BACEB8AB11F008411FA05DB1A2DA709804DB61

Function 00F9A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F7D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F7D501
Part of subcall function 00F7D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F7D50F
Part of subcall function 00F7D4DC: CloseHandle.KERNEL32(00000000), ref: 00F7D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9A16D
GetLastError.KERNEL32 ref: 00F9A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F9A268
GetLastError.KERNEL32(00000000), ref: 00F9A273
CloseHandle.KERNEL32(00000000), ref: 00F9A2C4

Strings

SeDebugPrivilege, xrefs: 00F9A18F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2f03730df517f78303f8000dab91c0bc6dcbc4962bab23cd2e0ee50e26dee448
Instruction ID: d394f3ca51b79ebf282b3ea1afb8d327e2b7b5f937bb4e2e13b0837f7fce0c27
Opcode Fuzzy Hash: 2f03730df517f78303f8000dab91c0bc6dcbc4962bab23cd2e0ee50e26dee448
Instruction Fuzzy Hash: EB6171716082419FEB20DF14C894F55BBE1AF44318F14849CE4668B7A3C776ED85DBD2

Function 00FA3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FA3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FA393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FA3954
_wcslen.LIBCMT ref: 00FA3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FA39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FA39F4

Strings

SysListView32, xrefs: 00FA38F7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 2f900752e34deb3543bfdb98fd3805bb664c6376a5bae97283b44c008eed014a
Instruction ID: 02a13d8f1a3baee4a0893cec24ca974856269fc50779bb5df771afa8af384361
Opcode Fuzzy Hash: 2f900752e34deb3543bfdb98fd3805bb664c6376a5bae97283b44c008eed014a
Instruction Fuzzy Hash: AA4195B1E00219ABDB219F64CC45FEA77A9FF09360F100526F958E7281D775DE84EB90

Function 00F7BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F7BCFD
IsMenu.USER32(00000000), ref: 00F7BD1D
CreatePopupMenu.USER32 ref: 00F7BD53
GetMenuItemCount.USER32(01945170), ref: 00F7BDA4
InsertMenuItemW.USER32(01945170,?,00000001,00000030), ref: 00F7BDCC

Strings

0, xrefs: 00F7BCA8
2, xrefs: 00F7BD37

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c89daaac1725604b53bf131a7d4935f96b2fa3498b5dca40d35f57913b610f29
Instruction ID: 90fab85b849e4e9077aef07c9d6d601b3e0ba3679aa622237fd1993ae6bf12ba
Opcode Fuzzy Hash: c89daaac1725604b53bf131a7d4935f96b2fa3498b5dca40d35f57913b610f29
Instruction Fuzzy Hash: 12519F70A002099FDB21CFA8D888BAEBBF5AF46324F14C15AF419D7291E7749941EB52

Function 00F7C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F7C913

Strings

info, xrefs: 00F7C8B4
stop, xrefs: 00F7C8E4
question, xrefs: 00F7C8CC
blank, xrefs: 00F7C895
warning, xrefs: 00F7C8FC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6a6f3a82e734490b258386ba058ab87bb73bd80ef07628634d895862cbab60b6
Instruction ID: 7d8baf4383ca37f71e5a8d7ede96b0d3ced76778abcd7f2b4646177916cb291b
Opcode Fuzzy Hash: 6a6f3a82e734490b258386ba058ab87bb73bd80ef07628634d895862cbab60b6
Instruction Fuzzy Hash: 4F11BE32A8930ABAA7055B549C82DDA7BACDF15774B50402FF608E5281DB74BD0072E7

Function 00F7ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F7ED2A
_wcslen.LIBCMT ref: 00F7ED3B
_wcslen.LIBCMT ref: 00F7ED79
_wcslen.LIBCMT ref: 00F7EDAF
_wcslen.LIBCMT ref: 00F7EDDF
_wcslen.LIBCMT ref: 00F7EDEF
_wcslen.LIBCMT ref: 00F7EE2B
_wcslen.LIBCMT ref: 00F7EE5A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c34c03e1e2d8666025b16b8cadad4da0288f8c25cf24105780407bdebf2a9b24
Instruction ID: af2a8509fca15b218801a25e245c21f121f70550acd26512e60d40146c012fab
Opcode Fuzzy Hash: c34c03e1e2d8666025b16b8cadad4da0288f8c25cf24105780407bdebf2a9b24
Instruction Fuzzy Hash: 70419365C1121875CB11EBF48C8AACFB7A8AF49720F518867F518E3121FB38E255D3A6

Function 00F2F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00F2F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00F6F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00F6F454

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 50239311a1590374d339fed700fd605175725e64b293b0d3e50004e0072e7a53
Instruction ID: a709f1706c11b60ee6228872204ab408116fd722b6ce1c80ff2f402ff3b58199
Opcode Fuzzy Hash: 50239311a1590374d339fed700fd605175725e64b293b0d3e50004e0072e7a53
Instruction Fuzzy Hash: B0412D31A28690BBD7398B2DFC8872A7BB1AB56320F14443DE08756661DA3198C8FB51

Function 00FA2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FA2D1B
GetDC.USER32(00000000), ref: 00FA2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00FA2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FA2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FA2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FA5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FA2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FA2DE1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 3e323a01c9275538d0afd69fa2849d30851554c38a0152b65756b31d4ddfb0df
Instruction ID: a272b739c1985575b21182db25eabca51e600e062d4498398a2c2298618ab8d7
Opcode Fuzzy Hash: 3e323a01c9275538d0afd69fa2849d30851554c38a0152b65756b31d4ddfb0df
Instruction Fuzzy Hash: 02317CB2201214BFEB118F54CC8AFEB3BA9EF0A725F044055FE08DA291C6759C51DBA4

Function 00F75622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F75637
_memcmp.LIBVCRUNTIME ref: 00F75659
_memcmp.LIBVCRUNTIME ref: 00F75671
_memcmp.LIBVCRUNTIME ref: 00F75684
_memcmp.LIBVCRUNTIME ref: 00F7569E
_memcmp.LIBVCRUNTIME ref: 00F756B1
_memcmp.LIBVCRUNTIME ref: 00F756C9
_memcmp.LIBVCRUNTIME ref: 00F756E4

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fe9cdfc4743d5fc7fa7f998dcb9949350a6ba73bc782ff870c71f89b457c7b95
Instruction ID: 12e64ba9b3e39759ad2769ba310c5f98e546475fff062284f842f623e3792701
Opcode Fuzzy Hash: fe9cdfc4743d5fc7fa7f998dcb9949350a6ba73bc782ff870c71f89b457c7b95
Instruction Fuzzy Hash: 5E210AA2A40A09B7D21855118D82FBA335CBF11BB4F448022FD0C9E541F7A4EF14B1A7

Function 00F94FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F95007
NULL Pointer assignment, xrefs: 00F9502E, 00F95383

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 84a2203a56585990a2d94c6ed3eea20af4a00c57eca0d5d88cc327f166136d93
Instruction ID: eb38089637452d897781cafe7d19218d18c7c43896bb20331ff47ef55f4ac15d
Opcode Fuzzy Hash: 84a2203a56585990a2d94c6ed3eea20af4a00c57eca0d5d88cc327f166136d93
Instruction Fuzzy Hash: 58D1C171E0060A9FEF11CFA8C881FAEB7B5BF48754F148069E915AB280E771DD85DB90

Function 00F51522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F517FB,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F516FB

Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51777
__freea.LIBCMT ref: 00F517A2
__freea.LIBCMT ref: 00F517AE

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: cbc2ad6c5865128e18deba2fa4a3043bd84a3813d57b3bde1612499dbd7599d6
Instruction ID: b750fe4ecb9dc3ac57be579e6a73aef0bbe28ce101620b55f9f7015559b9fe32
Opcode Fuzzy Hash: cbc2ad6c5865128e18deba2fa4a3043bd84a3813d57b3bde1612499dbd7599d6
Instruction Fuzzy Hash: 6F91C872E002165ADF208E74DC81BEE7BB5BF49321F184659EE01E7141E735EC48E7A0

Function 00F94523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F94648
VariantInit.OLEAUT32(?), ref: 00F94749
VariantClear.OLEAUT32(?), ref: 00F94753
VariantClear.OLEAUT32(?), ref: 00F947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F9472C
Null Object assignment in FOR..IN loop, xrefs: 00F945D8, 00F94706, 00F947BE

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: df408a86555fd01a898a23c26b7dc3433269c23af7cb0dca114a2bb10d200384
Instruction ID: 94bb87955a0463bfc19786c3533d2a38733ae4ee93ffe0b21530e9217cc1ed46
Opcode Fuzzy Hash: df408a86555fd01a898a23c26b7dc3433269c23af7cb0dca114a2bb10d200384
Instruction Fuzzy Hash: A291B771E00219ABEF20CFA4CC44FAEBBB8EF56714F108559F505AB280D770A946DFA1

Function 00F81187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F8125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F8135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F81430

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 485eafd476fea40522bee4a706f2d45dc2404908f051b38940def609625d6f52
Instruction ID: 6b38385ff9411a9636103e4a63d7dc3bf40207086bd97d09e8a8345c36526e68
Opcode Fuzzy Hash: 485eafd476fea40522bee4a706f2d45dc2404908f051b38940def609625d6f52
Instruction Fuzzy Hash: 7391C272E002199FDB00EF94C885BFE77B9FF45325F104229E941E7291D778A946EB90

Function 00F2948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 549f8a9e9d861e3b2907f01010d564efe30234088d19b88c2a1d2d5402707779
Instruction ID: 7d4b89ee59907418fb174a032eb3819e842b92990d563aa5aa780fd55af1c653
Opcode Fuzzy Hash: 549f8a9e9d861e3b2907f01010d564efe30234088d19b88c2a1d2d5402707779
Instruction Fuzzy Hash: BC914871E04219EFCB10CFA9DC85AEEBBB8FF49320F148059E515B7251D378A941EBA0

Function 00F93947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F9396B
CharUpperBuffW.USER32(?,?), ref: 00F93A7A
_wcslen.LIBCMT ref: 00F93A8A
VariantClear.OLEAUT32(?), ref: 00F93C1F

Part of subcall function 00F80CDF: VariantInit.OLEAUT32(00000000), ref: 00F80D1F
Part of subcall function 00F80CDF: VariantCopy.OLEAUT32(?,?), ref: 00F80D28
Part of subcall function 00F80CDF: VariantClear.OLEAUT32(?), ref: 00F80D34

Strings

AUTOIT.ERROR, xrefs: 00F93A80, 00F93A85
Incorrect Parameter format, xrefs: 00F939A6, 00F93BA1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 999ff6d1c2a13fbb65f396f97929b41fd6c0eb77a9cc133ebf259a54d12c7621
Instruction ID: ccd4b0fbb3be60eaf5fd622efe662425e5041474c5230bf42fea6241d6c197aa
Opcode Fuzzy Hash: 999ff6d1c2a13fbb65f396f97929b41fd6c0eb77a9cc133ebf259a54d12c7621
Instruction Fuzzy Hash: BB917B75A083059FCB10EF64C88096AB7E5FF89314F14892DF8899B351DB34EE45EB92

Function 00F94BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F7000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?,?,00F7035E), ref: 00F7002B
Part of subcall function 00F7000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70046
Part of subcall function 00F7000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70054
Part of subcall function 00F7000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?), ref: 00F70064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F94C51
_wcslen.LIBCMT ref: 00F94D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F94DCF
CoTaskMemFree.OLE32(?), ref: 00F94DDA

Strings

NULL Pointer assignment, xrefs: 00F94E23, 00F94E52

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ef3d8222cdcc792c828dc3151972103bea02674798da7780be643f59ed8420a0
Instruction ID: 3c27347625ea8f887a0e43f5ddad71b57a4f6df0c18c7719aaffc343edef88e6
Opcode Fuzzy Hash: ef3d8222cdcc792c828dc3151972103bea02674798da7780be643f59ed8420a0
Instruction Fuzzy Hash: D7911771D0021DAFEF10DFA4CC90EEDB7B8BF08310F10816AE915A7251DB34AA459FA0

Function 00FA20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FA2183
GetMenuItemCount.USER32(00000000), ref: 00FA21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FA21DD
_wcslen.LIBCMT ref: 00FA2213
GetMenuItemID.USER32(?,?), ref: 00FA224D
GetSubMenu.USER32(?,?), ref: 00FA225B

Part of subcall function 00F73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73A57
Part of subcall function 00F73A3D: GetCurrentThreadId.KERNEL32 ref: 00F73A5E
Part of subcall function 00F73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F725B3), ref: 00F73A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FA22E3

Part of subcall function 00F7E97B: Sleep.KERNEL32 ref: 00F7E9F3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b867a445de47ce972fc6cfaf73140aad4d844f90cf3729b17b9fc060aa1c303a
Instruction ID: 42c4c48e36ef900ff69fe801139ea81c558353ac0a36169ebd4a8503e49be281
Opcode Fuzzy Hash: b867a445de47ce972fc6cfaf73140aad4d844f90cf3729b17b9fc060aa1c303a
Instruction Fuzzy Hash: 117181B6E00205AFDB50DF68C845BAEB7F5EF49320F148459E816EB351DB38ED41AB90

Function 00FA7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01945418), ref: 00FA7F37
IsWindowEnabled.USER32(01945418), ref: 00FA7F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FA801E
SendMessageW.USER32(01945418,000000B0,?,?), ref: 00FA8051
IsDlgButtonChecked.USER32(?,?), ref: 00FA8089
GetWindowLongW.USER32(01945418,000000EC), ref: 00FA80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FA80C3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6e073208fc170df0f996d135c9cba3388c5da9b3580b169785250a469f515547
Instruction ID: 09a36e70bfc820a530b7c31245d7500be722232fd646b039cf3c0ddedfaddad3
Opcode Fuzzy Hash: 6e073208fc170df0f996d135c9cba3388c5da9b3580b169785250a469f515547
Instruction Fuzzy Hash: 8171C0B4A08344AFEB20EF54CC84FEA7BB9FF4B350F144059E95557261CB31A945EBA0

Function 00F7AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F7AEF9
GetKeyboardState.USER32(?), ref: 00F7AF0E
SetKeyboardState.USER32(?), ref: 00F7AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F7AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F7AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F7AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F7B020

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8d614128667d6145657b76296bee40a99e63db64495677d143de8ce74373ba0a
Instruction ID: f68e4597de83d631b92a3134e5c9a9acc6622867a0191cc55a1a844a5ca0a7b5
Opcode Fuzzy Hash: 8d614128667d6145657b76296bee40a99e63db64495677d143de8ce74373ba0a
Instruction Fuzzy Hash: 9751D1A1A087D53DFB3682348C45BBEBEA95B46314F09C58AE1DD858C3C3D8A8C4E753

Function 00F7ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F7AD19
GetKeyboardState.USER32(?), ref: 00F7AD2E
SetKeyboardState.USER32(?), ref: 00F7AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F7ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F7ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F7AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F7AE38

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cbb9c5d33dd57aa0da63506d19e6f39cd7120fa6844f75474699684579e32060
Instruction ID: 062cb2799394942d23e95285c62b11f8a116a75690f2e3a80d08e7004902d345
Opcode Fuzzy Hash: cbb9c5d33dd57aa0da63506d19e6f39cd7120fa6844f75474699684579e32060
Instruction Fuzzy Hash: B551E3A19047D53DFB3383248C55BBE7EA95B86310F09C48AE0DD868C2D294EC98F753

Function 00F4542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F53CD6,?,?,?,?,?,?,?,?,00F45BA3,?,?,00F53CD6,?,?), ref: 00F45470
__fassign.LIBCMT ref: 00F454EB
__fassign.LIBCMT ref: 00F45506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F53CD6,00000005,00000000,00000000), ref: 00F4552C
WriteFile.KERNEL32(?,00F53CD6,00000000,00F45BA3,00000000,?,?,?,?,?,?,?,?,?,00F45BA3,?), ref: 00F4554B
WriteFile.KERNEL32(?,?,00000001,00F45BA3,00000000,?,?,?,?,?,?,?,?,?,00F45BA3,?), ref: 00F45584

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: da97a08db27f1a47e1ffea7cc8ed9962fec65aef781ff15e3c647214d8310fe6
Instruction ID: 3f944cf1c7cfe3088faf19eb59f4ccb2515b189be32c42b63524c74bcda099c5
Opcode Fuzzy Hash: da97a08db27f1a47e1ffea7cc8ed9962fec65aef781ff15e3c647214d8310fe6
Instruction Fuzzy Hash: 1B51E3B1E00649AFDB11DFA8DC85AEEBBF9EF09710F14401AF945E7292D7309A41DB60

Function 00F32D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F32D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F32D53
_ValidateLocalCookies.LIBCMT ref: 00F32DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F32E0C
_ValidateLocalCookies.LIBCMT ref: 00F32E61

Strings

csm, xrefs: 00F32DF6

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2840c065c358296ee5cc5161864ed156f1c89cfbc9f7f3b7d14b739acf1cbfe1
Instruction ID: f20a1dee79f69031411a82083c1d1fdc30fbd461ba543cff112b98f89d1ba714
Opcode Fuzzy Hash: 2840c065c358296ee5cc5161864ed156f1c89cfbc9f7f3b7d14b739acf1cbfe1
Instruction Fuzzy Hash: 1341DD35E00209ABCF50DF68CC85A9EBBB5BF44334F148155E814AB392DB35EA05EBD0

Function 00F910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F9307A
Part of subcall function 00F9304E: _wcslen.LIBCMT ref: 00F9309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F91112
WSAGetLastError.WSOCK32 ref: 00F91121
WSAGetLastError.WSOCK32 ref: 00F911C9
closesocket.WSOCK32(00000000), ref: 00F911F9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8d423b4b661e7d0e9d652d424b2d04dd63d1ad2f108c61fd6f67148e9f8f0027
Instruction ID: d29339dd11579687269cdc9ed391dde60d0d979327cd7c57edd4b91b549cf072
Opcode Fuzzy Hash: 8d423b4b661e7d0e9d652d424b2d04dd63d1ad2f108c61fd6f67148e9f8f0027
Instruction Fuzzy Hash: 3E41E371600209AFEB109F14CC84BAABBE9FF45364F148069FD159B291C778ED81DBE1

Function 00F7CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F7CF22,?), ref: 00F7DDFD

Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F7CF22,?), ref: 00F7DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F7CF45
MoveFileW.KERNEL32(?,?), ref: 00F7CF7F
_wcslen.LIBCMT ref: 00F7D005
_wcslen.LIBCMT ref: 00F7D01B
SHFileOperationW.SHELL32(?), ref: 00F7D061

Strings

\*.*, xrefs: 00F7CFF3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7999f6712d2c1ee5dad56945bb69f1331c9361e84eb67d204039887fb3ecffad
Instruction ID: ecca875b5d9374a53472589962c8f2c2ac22915e5615cf89ad06bfd6cfd912e2
Opcode Fuzzy Hash: 7999f6712d2c1ee5dad56945bb69f1331c9361e84eb67d204039887fb3ecffad
Instruction Fuzzy Hash: F1415571D052185EDF12EFA4CD81FDEB7B9AF09390F4040EBE509EB141EA74A688EB51

Function 00FA2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FA2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00FA2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00FA2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FA2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FA2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FA2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FA2F0B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8bd3823af5439c99c06071ab9a1dfb5f6271a0e002f9fcff4960471e104200e1
Instruction ID: 7e0b6c2f6692b279e9cc74119785142983a2bf1d2a9a5a9af8a0ce219297f890
Opcode Fuzzy Hash: 8bd3823af5439c99c06071ab9a1dfb5f6271a0e002f9fcff4960471e104200e1
Instruction Fuzzy Hash: 2231D175B04158AFEB61CF59DCC4F6937E1BB8A720F150164F9048F2A2CB71A880EB41

Function 00F77726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F77769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7778F
SysAllocString.OLEAUT32(00000000), ref: 00F77792
SysAllocString.OLEAUT32(?), ref: 00F777B0
SysFreeString.OLEAUT32(?), ref: 00F777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F777DE
SysAllocString.OLEAUT32(?), ref: 00F777EC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a23cd0522f0b8da0e87b15cf01d3228df84f08daec9a8163fdc8cf201999583d
Instruction ID: 7afff4a598b5199eba3558a0400cfc0066cfaa34c6967e7f49c236ef73a73843
Opcode Fuzzy Hash: a23cd0522f0b8da0e87b15cf01d3228df84f08daec9a8163fdc8cf201999583d
Instruction Fuzzy Hash: 9D21B076A14219AFDB14EFA8DC88DBB77ECEB093647008026FA08DB150D674DC42A7A5

Function 00F777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F77842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F77868
SysAllocString.OLEAUT32(00000000), ref: 00F7786B
SysAllocString.OLEAUT32 ref: 00F7788C
SysFreeString.OLEAUT32 ref: 00F77895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F778AF
SysAllocString.OLEAUT32(?), ref: 00F778BD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d25c7a1e77174866f926541d041a769bdd3d942d9540d8286356af5fe529e130
Instruction ID: 624469a24040a81367888298fa2095131dcc2e7f48c8c22f5c502e7cfd543376
Opcode Fuzzy Hash: d25c7a1e77174866f926541d041a769bdd3d942d9540d8286356af5fe529e130
Instruction Fuzzy Hash: C5217771A14218AFDB10AFB8DC8CDBA77ECEB09760710C126F915CB1A1D674DC41DB65

Function 00F804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F8052E

Strings

nul, xrefs: 00F80567

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 696a830d2c6b767608820ec3414883e522636c89434a9fb445ce9d9f07e72901
Instruction ID: 94dfa19811cf578a5009b56589934bde18dd9cfeb9d8f148d7a8a22fd25ba0a7
Opcode Fuzzy Hash: 696a830d2c6b767608820ec3414883e522636c89434a9fb445ce9d9f07e72901
Instruction Fuzzy Hash: 5D217175900305AFDB20AF29DC08A9A77E4AF45724F644A19E8A1DA2E0DB709944EF60

Function 00F805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F80601

Strings

nul, xrefs: 00F80639

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3cf45a334ca8f205360a59680dd6c95ddac7bf851a8b673e048c3b69a2575d30
Instruction ID: e56dd2c6f0f082b91f89abd86399e81780040ad50f64788e63ee863631ea6a49
Opcode Fuzzy Hash: 3cf45a334ca8f205360a59680dd6c95ddac7bf851a8b673e048c3b69a2575d30
Instruction Fuzzy Hash: 9C2181759003059FDB60AF698C04ADA77E4BF95730F600B19F8A1E72E0EB709864EB60

Function 00FA40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F1604C
Part of subcall function 00F1600E: GetStockObject.GDI32(00000011), ref: 00F16060
Part of subcall function 00F1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F1606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FA4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FA411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FA412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FA4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FA4145

Strings

Msctls_Progress32, xrefs: 00FA40E3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9e5b0a1fdf180173e39a896d508c0969572f959d7499a6e09146013cf46cfaee
Instruction ID: 895205d9e7fbbd2e92883f2f41fd7d01433aa1b67796aa33a778855bfcc28f1d
Opcode Fuzzy Hash: 9e5b0a1fdf180173e39a896d508c0969572f959d7499a6e09146013cf46cfaee
Instruction Fuzzy Hash: 6D11B6B214021D7EEF119F64CC85EE77F5DEF09798F004111B618A6150C6B6DC61EBA4

Function 00F4D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F4D7A3: _free.LIBCMT ref: 00F4D7CC

_free.LIBCMT ref: 00F4D82D

Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0

_free.LIBCMT ref: 00F4D838
_free.LIBCMT ref: 00F4D843
_free.LIBCMT ref: 00F4D897
_free.LIBCMT ref: 00F4D8A2
_free.LIBCMT ref: 00F4D8AD
_free.LIBCMT ref: 00F4D8B8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c2909a71ada78281a0f80f7854627c584d8423ab15ff8480bd076dd8cf1df4d0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5A115171540B04ABE921BFB1CC47FCB7FEC6F00700F800825BA99A6192DA79B5057650

Function 00F7DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F7DA74
LoadStringW.USER32(00000000), ref: 00F7DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F7DA91
LoadStringW.USER32(00000000), ref: 00F7DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F7DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F7DAB9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: b3e7832dd6012b44e59a0f887ed4857bcbdbdaeca60a0c4f66373831c98ccf91
Instruction ID: 3d0201e3f8efb4fad33883ca83e66263911079b8bfc4b112fb7f5c668a343bf7
Opcode Fuzzy Hash: b3e7832dd6012b44e59a0f887ed4857bcbdbdaeca60a0c4f66373831c98ccf91
Instruction Fuzzy Hash: 230162F290020C7FE710EBA4DD89EE7336CEB09701F404496B70AE2142EA749E845FB5

Function 00F8096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0193DC38,0193DC38), ref: 00F8097B
EnterCriticalSection.KERNEL32(0193DC18,00000000), ref: 00F8098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00F8099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00F809A9
CloseHandle.KERNEL32(00000000), ref: 00F809B8
InterlockedExchange.KERNEL32(0193DC38,000001F6), ref: 00F809C8
LeaveCriticalSection.KERNEL32(0193DC18), ref: 00F809CF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 227ac0994cfa4a1c7c8ac02b06f85888e619415d6c1b7f0fa541a1152cce9c0c
Instruction ID: 7b0815a28f4c13e611be39d9c96f15d9414254b8f85e2663fdd0b1633ad73702
Opcode Fuzzy Hash: 227ac0994cfa4a1c7c8ac02b06f85888e619415d6c1b7f0fa541a1152cce9c0c
Instruction Fuzzy Hash: 29F03C72542A06BBD7415FA4EE8CBD6BB79FF02712F802025F202908A0CB749465EFD0

Function 00F91C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F91DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F91DE1
WSAGetLastError.WSOCK32 ref: 00F91DF2
htons.WSOCK32(?,?,?,?,?), ref: 00F91EDB
inet_ntoa.WSOCK32(?), ref: 00F91E8C

Part of subcall function 00F739E8: _strlen.LIBCMT ref: 00F739F2

Part of subcall function 00F93224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F8EC0C), ref: 00F93240

_strlen.LIBCMT ref: 00F91F35

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6a16d2f3ab75735e1f007c49ced7ae4187e9af599728d09936cfecfc03bce211
Instruction ID: edd360433d6e3698726dd99f5049019d4c7aaa5a2608ee6e3f196843ff7ee40f
Opcode Fuzzy Hash: 6a16d2f3ab75735e1f007c49ced7ae4187e9af599728d09936cfecfc03bce211
Instruction Fuzzy Hash: A0B11031604301AFEB24DF24C885E6A7BE5BF84328F54895CF4564B2E2CB35ED82DB91

Function 00F15D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F15D30
GetWindowRect.USER32(?,?), ref: 00F15D71
ScreenToClient.USER32(?,?), ref: 00F15D99
GetClientRect.USER32(?,?), ref: 00F15ED7
GetWindowRect.USER32(?,?), ref: 00F15EF8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c65e15aa072117ff13968e2d51aeeb3abca7413a8e29ced4e26df164e0654860
Instruction ID: b545969d0123c489447b283d4d4fb09923b24e738cb1dd194c33f6300607c448
Opcode Fuzzy Hash: c65e15aa072117ff13968e2d51aeeb3abca7413a8e29ced4e26df164e0654860
Instruction Fuzzy Hash: 21B18A75A0074ADBDB10CFA8C4807EEB7F1FF48311F14841AE8A9D7250DB30AA91EB50

Function 00F401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F400D6
__allrem.LIBCMT ref: 00F400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F4010B
__allrem.LIBCMT ref: 00F40122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F40140

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7e2bd05ecb64913b55a35ad82b24cf386577fb6227f30b852f0efdba654bc3bc
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9D81E872E007069BE720AE79CC41B6B77E9AF91334F24463AFE51D7281EB74D904AB50

Function 00F461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F382D9,00F382D9,?,?,?,00F4644F,00000001,00000001,8BE85006), ref: 00F46258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F4644F,00000001,00000001,8BE85006,?,?,?), ref: 00F462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F463D8
__freea.LIBCMT ref: 00F463E5

Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852

__freea.LIBCMT ref: 00F463EE
__freea.LIBCMT ref: 00F46413

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f261f0dee18d8f6fb2ee07e254037117e7dafa467a943a2452ecfa3d9f033635
Instruction ID: 62e4c7fd58796b37f728f7d9eb3edff43e03ac7fcb61a0101cdb1f341b888e1e
Opcode Fuzzy Hash: f261f0dee18d8f6fb2ee07e254037117e7dafa467a943a2452ecfa3d9f033635
Instruction Fuzzy Hash: E151F372A00256ABDF258F64CC81FBF7FA9EB46720F144269FC05D6280DB38DC40E6A1

Function 00F9BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9C9F1
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA68
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F9BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F9BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F9BDF3
RegCloseKey.ADVAPI32(?), ref: 00F9BDFF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8bd64dbf3b93b29603991c83844dd69b6c8c29743ab1a258c0963125ec1a570d
Instruction ID: 4b0597721bc01af564a6bd63b21a7e90d7222365bb2ae337d1107c1ea0903e13
Opcode Fuzzy Hash: 8bd64dbf3b93b29603991c83844dd69b6c8c29743ab1a258c0963125ec1a570d
Instruction Fuzzy Hash: 8781DF70208241EFDB14DF24C985E6ABBE5FF85318F14885DF4598B2A2CB31ED45EB92

Function 00F6F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F6F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F6F860
VariantCopy.OLEAUT32(00F6FA64,00000000), ref: 00F6F889
VariantClear.OLEAUT32(00F6FA64), ref: 00F6F8AD
VariantCopy.OLEAUT32(00F6FA64,00000000), ref: 00F6F8B1
VariantClear.OLEAUT32(?), ref: 00F6F8BB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3c9a85d9a84a0bf2e144f3e3744421acc20824e800c8ef7f2dd7014ebbff2d7a
Instruction ID: a8827071533c18a76eb5b6b7ac1efa0ca2a5493433d42f6742205a681652f9c0
Opcode Fuzzy Hash: 3c9a85d9a84a0bf2e144f3e3744421acc20824e800c8ef7f2dd7014ebbff2d7a
Instruction Fuzzy Hash: 2551F932A10310FADF10AB76EC95B69B3A8EF45310F244467E906DF291DB748C48F796

Function 00F8910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00F894E5
_wcslen.LIBCMT ref: 00F89506
_wcslen.LIBCMT ref: 00F8952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00F89585

Strings

X, xrefs: 00F89412

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 9658084258e8db4fcfedc7bd51f6a6481ad74a7a700ba1597d8d64e7ddff45b7
Instruction ID: 338c89efd7c887a110641956dff9d7a0fd343bf3416f470c41d00cc837ddd367
Opcode Fuzzy Hash: 9658084258e8db4fcfedc7bd51f6a6481ad74a7a700ba1597d8d64e7ddff45b7
Instruction Fuzzy Hash: 51E1B631908340CFC714EF24C881AAEB7E5BF85324F08856DF8999B2A2DB75ED45DB91

Function 00F2920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

BeginPaint.USER32(?,?,?), ref: 00F29241
GetWindowRect.USER32(?,?), ref: 00F292A5
ScreenToClient.USER32(?,?), ref: 00F292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F292D3
EndPaint.USER32(?,?,?,?,?), ref: 00F29321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F671EA

Part of subcall function 00F29339: BeginPath.GDI32(00000000), ref: 00F29357

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: f8ac977f2f78d8005f6a66379ac76cf268455b289c5db4e08a0faa3e8edc7d2e
Instruction ID: 62df9061860c9e73b1bcf6af418b11133908726784f5e4edab262e92933681bc
Opcode Fuzzy Hash: f8ac977f2f78d8005f6a66379ac76cf268455b289c5db4e08a0faa3e8edc7d2e
Instruction Fuzzy Hash: F041AD71509314AFD720DF25DC84FBA7BB8FB46724F14022AF9948B2E2C7749845EB61

Function 00F807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F8080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F80847
EnterCriticalSection.KERNEL32(?), ref: 00F80863
LeaveCriticalSection.KERNEL32(?), ref: 00F808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F80921

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: ec12df52f882d85c068953f33c4aa3dce693a660ff8e7b7082821fb55ffb980f
Instruction ID: 028192c24b9c0a8f42d67cffd11237b18896fab106929797e5a12f505b48c2cb
Opcode Fuzzy Hash: ec12df52f882d85c068953f33c4aa3dce693a660ff8e7b7082821fb55ffb980f
Instruction Fuzzy Hash: 7D41AF71A00209EFDF05AF54DC85AAA77B8FF04310F1040B9ED00AA297DB34DE58EBA0

Function 00FA81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F6F3AB,00000000,?,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00FA824C
EnableWindow.USER32(00000000,00000000), ref: 00FA8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FA82D1
ShowWindow.USER32(00000000,00000004), ref: 00FA82E5
EnableWindow.USER32(00000000,00000001), ref: 00FA830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FA832F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3f87041d0598065e1a79c840ee179488b21213a49f9c38148a0e25fc8edf21cd
Instruction ID: 744738290aa35f13e6cccd094690882335fb81971c78ebe49d61c0faacf05067
Opcode Fuzzy Hash: 3f87041d0598065e1a79c840ee179488b21213a49f9c38148a0e25fc8edf21cd
Instruction Fuzzy Hash: 4241C3B4A01648EFDF11CF15D899BE87BF0BB4B764F180168E6484F262CB71A842EB40

Function 00F74C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F74C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F74CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F74CEA
_wcslen.LIBCMT ref: 00F74D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F74D10
_wcsstr.LIBVCRUNTIME ref: 00F74D1A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e398bff6f5b08ff8e95d0aee8fb787d2a5d74c6cb255905a701aa6d37b588890
Instruction ID: 75256d49171b57bc942f7609308e20f0b59d6e8ce39c65898f1749753bf723e0
Opcode Fuzzy Hash: e398bff6f5b08ff8e95d0aee8fb787d2a5d74c6cb255905a701aa6d37b588890
Instruction Fuzzy Hash: 3321DA72604114BBEB269B39EC45E7B7BACDF46760F10807AF80DCA151EB65EC00A6A1

Function 00F8581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2

_wcslen.LIBCMT ref: 00F8587B
CoInitialize.OLE32(00000000), ref: 00F85995
CoCreateInstance.OLE32(00FAFCF8,00000000,00000001,00FAFB68,?), ref: 00F859AE
CoUninitialize.OLE32 ref: 00F859CC

Strings

.lnk, xrefs: 00F85876, 00F858C1, 00F85985

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 522a70288d398acaf8440ac18ec7a6ec21a7222dfe8883926fb25dcb448978aa
Instruction ID: 87d38c6042043026f9a3693fa56da98230ae2a24634fd892b4c12cac01c4e837
Opcode Fuzzy Hash: 522a70288d398acaf8440ac18ec7a6ec21a7222dfe8883926fb25dcb448978aa
Instruction Fuzzy Hash: BDD15571A087019FC714EF14C880AAABBF2FF89B24F144859F8899B361D735EC45DB92

Function 00F7175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F70FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F70FCA
Part of subcall function 00F70FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F70FD6
Part of subcall function 00F70FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F70FE5
Part of subcall function 00F70FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F70FEC
Part of subcall function 00F70FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F71002

GetLengthSid.ADVAPI32(?,00000000,00F71335), ref: 00F717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F717BA
HeapAlloc.KERNEL32(00000000), ref: 00F717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F717DA
GetProcessHeap.KERNEL32(00000000,00000000,00F71335), ref: 00F717EE
HeapFree.KERNEL32(00000000), ref: 00F717F5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: bb6bf71d435d93a6c50c7011e2665952af69a55db8e56f40b58d01c8aa5d50a6
Instruction ID: 17e6242355e02ca238a357edf6eefa99166ca81001cd5b0b120e2757051bd19e
Opcode Fuzzy Hash: bb6bf71d435d93a6c50c7011e2665952af69a55db8e56f40b58d01c8aa5d50a6
Instruction Fuzzy Hash: EE11AF71A00209EFDB149FA8CC49BAF7BB9FB42365F10C019F44597111C7359949EBA1

Function 00F714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F71506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F71515
CloseHandle.KERNEL32(00000004), ref: 00F71520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F7154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F71563

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 78dbb6fa9227e0a7719d66fe9df7467da3a7a3c9e5d1b40b4bb786dedc39640c
Instruction ID: 11c68374826a4d71b9919fdd03daec37b14dc3f2337e750a8e6d2b48f0e0b746
Opcode Fuzzy Hash: 78dbb6fa9227e0a7719d66fe9df7467da3a7a3c9e5d1b40b4bb786dedc39640c
Instruction Fuzzy Hash: 431129B250020DABDF11CF98DD49BDE7BA9FF49754F048015FA09A2160C3758E68EBA1

Function 00F33382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F33379,00F32FE5), ref: 00F33390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F3339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F333B7
SetLastError.KERNEL32(00000000,?,00F33379,00F32FE5), ref: 00F33409

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6bf52ed41e2fc5843889c89b02ff04d0c21b041d3eeb0dbfc017dc8f0cfd3e9c
Instruction ID: 75ce550e7161bb778d3ef67040b60fdbaeb5f3a4cbcddb10d37b19fac3007d72
Opcode Fuzzy Hash: 6bf52ed41e2fc5843889c89b02ff04d0c21b041d3eeb0dbfc017dc8f0cfd3e9c
Instruction Fuzzy Hash: 2F01FC33A0E316BEAA15A775BC8AB577F55DB05379F20822AF410C52F0EF154D01B584

Function 00F42D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F45686,00F53CD6,?,00000000,?,00F45B6A,?,?,?,?,?,00F3E6D1,?,00FD8A48), ref: 00F42D78
_free.LIBCMT ref: 00F42DAB
_free.LIBCMT ref: 00F42DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F3E6D1,?,00FD8A48,00000010,00F14F4A,?,?,00000000,00F53CD6), ref: 00F42DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F3E6D1,?,00FD8A48,00000010,00F14F4A,?,?,00000000,00F53CD6), ref: 00F42DEC
_abort.LIBCMT ref: 00F42DF2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ea740e40dc34c64a156400dfe22642c5b5fd8b3fd176f50789c200993c3d8afc
Instruction ID: 00721abf39e7937190bdb50ca5760a2558a3340b421b09b37f5e5ab9594c3c72
Opcode Fuzzy Hash: ea740e40dc34c64a156400dfe22642c5b5fd8b3fd176f50789c200993c3d8afc
Instruction Fuzzy Hash: DFF0CD32D05A1127C69267397C06F1E3E76AFC2771F640435FC24921D1DE7889017161

Function 00FA8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F29693
Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296A2
Part of subcall function 00F29639: BeginPath.GDI32(?), ref: 00F296B9
Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FA8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00FA8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FA8A70
LineTo.GDI32(?,00000000,00000003), ref: 00FA8A80
EndPath.GDI32(?), ref: 00FA8A90
StrokePath.GDI32(?), ref: 00FA8AA0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 24e3866ef86b9043852d065f3c438acfbca939cea90027427d517fdb6fe5ac13
Instruction ID: f78b2743d40e46e9becf7c4d30874d864764bc40fb969fb04e6b779c158b417b
Opcode Fuzzy Hash: 24e3866ef86b9043852d065f3c438acfbca939cea90027427d517fdb6fe5ac13
Instruction Fuzzy Hash: 581109B600014CFFDB129F90DC88EAA7F6CEB09390F00C012BA199A1A1C7719D55EBA0

Function 00F751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F75218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F75229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F75230
ReleaseDC.USER32(00000000,00000000), ref: 00F75238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F7524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F75261

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a939b436f423ea00950aec3ef500fafdc5009f4e88f81f3e981bfc1290a1ee2b
Instruction ID: bbe6a3b66bdf07132bf109ef758622026c322fddb57bb7c2069dede6ca41b54e
Opcode Fuzzy Hash: a939b436f423ea00950aec3ef500fafdc5009f4e88f81f3e981bfc1290a1ee2b
Instruction Fuzzy Hash: 460162B5E00718BBEB109BA59C49E5EBFB9EF49751F048066FA09E7381D6709C00DFA1

Function 00F11BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F11BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F11BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F11C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F11C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F11C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F11C22

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3d5b174fe918ff348317e8ecdc868a218bf2df2fe7d9a0b2079dabf98ffe4199
Instruction ID: 31497f4e0c4ffc492fd8372c0a950a29e754092bc7f107b1e8c7cd8689944b28
Opcode Fuzzy Hash: 3d5b174fe918ff348317e8ecdc868a218bf2df2fe7d9a0b2079dabf98ffe4199
Instruction Fuzzy Hash: 7C0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 00F7EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F7EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F7EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F7EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7EB75

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f2f2654b7097863975bbd87992764e22e3d871f43ba95d9c5c7838df31cff53a
Instruction ID: f56d177187f96585a86dfc456ab9cedbbcfefda7819577b6c89bf40817e4c7be
Opcode Fuzzy Hash: f2f2654b7097863975bbd87992764e22e3d871f43ba95d9c5c7838df31cff53a
Instruction Fuzzy Hash: 72F017B2640158BBE6219B629C0EEAB3A7CEBCBB11F004159F605D1191EBA05A01AAF5

Function 00F67439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F67452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F67469
GetWindowDC.USER32(?), ref: 00F67475
GetPixel.GDI32(00000000,?,?), ref: 00F67484
ReleaseDC.USER32(?,00000000), ref: 00F67496
GetSysColor.USER32(00000005), ref: 00F674B0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 676edd7aa39d931bbaa2689965166f5b670b7ef64642a6aadb5755f25f224760
Instruction ID: 173d368597f43e42da51c5a98ad631c2a6d905e7a23a9d9446a62dcb010ce42d
Opcode Fuzzy Hash: 676edd7aa39d931bbaa2689965166f5b670b7ef64642a6aadb5755f25f224760
Instruction Fuzzy Hash: F7018B72800219EFDB10AF64DD08BAA7BB5FF06321F640060F919A21A0CF311E41BB90

Function 00F71874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F7187F
UnloadUserProfile.USERENV(?,?), ref: 00F7188B
CloseHandle.KERNEL32(?), ref: 00F71894
CloseHandle.KERNEL32(?), ref: 00F7189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F718A5
HeapFree.KERNEL32(00000000), ref: 00F718AC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 164c144de27216150ff323a5f10ad996f720d5b21834b5e987e9fabcacc640b7
Instruction ID: c0bbc7e9369c8153c54fc01143a302e2db3a28abef6c169bd1f706689546e46c
Opcode Fuzzy Hash: 164c144de27216150ff323a5f10ad996f720d5b21834b5e987e9fabcacc640b7
Instruction Fuzzy Hash: FFE0EDB6104209BBDB015FA2ED0C906BF79FF4A7217108220F22581071CB325421EF90

Function 00F7C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F7C6EE
_wcslen.LIBCMT ref: 00F7C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F7C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F7C7CA

Strings

0, xrefs: 00F7C6AF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: eb83d9090425c9fc24e9dce6d5b55c7827359b6356c893c02661a91f6db5bba9
Instruction ID: 9729bad80adfc058a2d29e022f5fe72a1d868410104051cbed0e8082296cc052
Opcode Fuzzy Hash: eb83d9090425c9fc24e9dce6d5b55c7827359b6356c893c02661a91f6db5bba9
Instruction Fuzzy Hash: D251D071A043009BD7189F29CC85B6B77E4AF89320F048A2EF999D31D1DB74D945BB93

Function 00F9AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F9AEA3

Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625

GetProcessId.KERNEL32(00000000), ref: 00F9AF38
CloseHandle.KERNEL32(00000000), ref: 00F9AF67

Strings

<, xrefs: 00F9AE6B
@, xrefs: 00F9AE72

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: eba9d4986a3e2db79725b0ed1a8274cb4ec6f0902303ffe647485320ea796863
Instruction ID: 87b7dc1f3b8bd114cb59d56391e8779455cbddbdd49abe02ce616fe04fc1bc5f
Opcode Fuzzy Hash: eba9d4986a3e2db79725b0ed1a8274cb4ec6f0902303ffe647485320ea796863
Instruction Fuzzy Hash: FD716770A00619DFDF14EF55C884A9EBBF1BF08314F048499E81AAB252CB74ED85DB91

Function 00F7719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F77206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F7723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F7724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F772CF

Strings

DllGetClassObject, xrefs: 00F77242

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a4e69430818d43f2565ad5e80989329f1fc584b93943570785ad4258c1a57950
Instruction ID: 8ac9c41487fe1f3e9594cb37481311530ad8ab4e8400be4fabe12c7e8357ff46
Opcode Fuzzy Hash: a4e69430818d43f2565ad5e80989329f1fc584b93943570785ad4258c1a57950
Instruction Fuzzy Hash: 49419EB1A14304EFDB15DF54C884A9A7BA9EF44310F1480AABD09DF20AD7B0D944EFA1

Function 00FA3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA3E35
IsMenu.USER32(?), ref: 00FA3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA3E92
DrawMenuBar.USER32 ref: 00FA3EA5

Strings

0, xrefs: 00FA3D89

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 610fdf4e9fed0cba79bfff97a16c72be18bae6ca0b3589517003477be9a01598
Instruction ID: e72a7cb20db103fcbd2a33ce7990e3b23a550df5ce61309277fb65ae49a6e96a
Opcode Fuzzy Hash: 610fdf4e9fed0cba79bfff97a16c72be18bae6ca0b3589517003477be9a01598
Instruction Fuzzy Hash: C3412BB5E11209EFDB10DF50D8C4A9AB7B5FF46365F04411AF90597250D730AE49EF50

Function 00F71DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F71E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F71E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F71EA9

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

Strings

ListBox, xrefs: 00F71E25
ComboBox, xrefs: 00F71DF0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f8add2a7e38df74278c4c36ade17155ccaafe15ba8103968d61805db62c24d26
Instruction ID: 1f48990b72069d93d8725b61c966d4c0d5b8ecd89e72d829cb939067f22f278c
Opcode Fuzzy Hash: f8add2a7e38df74278c4c36ade17155ccaafe15ba8103968d61805db62c24d26
Instruction Fuzzy Hash: 9D216B71A00108BEDB149B68DC56CFFB7B8EF42360B14812AF859A32E1DB785D4DB661

Function 00FA2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FA2F8D
LoadLibraryW.KERNEL32(?), ref: 00FA2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FA2FA9
DestroyWindow.USER32(?), ref: 00FA2FB1

Strings

SysAnimate32, xrefs: 00FA2F68

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 8dfcd14c0e82500a461cdbd15f22e4becafbfc75aa01950f8e40930650297ffc
Instruction ID: 4767183dfa5f5a8164e5938456a33798bfa76095b4d82a396b083fdd6405765d
Opcode Fuzzy Hash: 8dfcd14c0e82500a461cdbd15f22e4becafbfc75aa01950f8e40930650297ffc
Instruction Fuzzy Hash: 5E216AB2B04209AFEB508F68DC80EBB77B9EB5A374F104619F950D6190D771DC91B7A0

Function 00F34D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F34D1E,00F428E9,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002), ref: 00F34D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F34DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F34D1E,00F428E9,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002,00000000), ref: 00F34DC3

Strings

CorExitProcess, xrefs: 00F34D98
mscoree.dll, xrefs: 00F34D86

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78fe8e7ad4dd93f3d578e658e93e577b1904589132361c189db5bf719f8356c6
Instruction ID: 2dfb18ea890b0fbb2c81408059c818c2c8a485eee5c4d105832e89438ef42780
Opcode Fuzzy Hash: 78fe8e7ad4dd93f3d578e658e93e577b1904589132361c189db5bf719f8356c6
Instruction Fuzzy Hash: 5CF03C75A4020CABDB119B95DC49BAEBFE5EB44762F0001A5E806A2260CF74A940EED1

Function 00F14E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F14EAE
FreeLibrary.KERNEL32(00000000,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F14EA8
kernel32.dll, xrefs: 00F14E94

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 503ac4e7634ac07ba73e7ab7c45ad3eec3e5b7c851749e88852371392af3066e
Instruction ID: 0506fde285864f7fb4cba61181df19c5d78cb9f51bcc97be8837e1f09535ce66
Opcode Fuzzy Hash: 503ac4e7634ac07ba73e7ab7c45ad3eec3e5b7c851749e88852371392af3066e
Instruction Fuzzy Hash: 98E08675F015225B923117256C18B9B7554AFC2B727090115FD04D2200DB60DD4165E2

Function 00F14E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F14E74
FreeLibrary.KERNEL32(00000000,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E87

Strings

kernel32.dll, xrefs: 00F14E5B
Wow64RevertWow64FsRedirection, xrefs: 00F14E6E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 4aa6d9d66b69ea18c3c3ce7ba67ea0a3e8efe08c371db0e24ee8c553524dd1c3
Instruction ID: 28b16099b53a66c154b746c685d0e8fd8c944c7e8b5392c813d84a56019507a4
Opcode Fuzzy Hash: 4aa6d9d66b69ea18c3c3ce7ba67ea0a3e8efe08c371db0e24ee8c553524dd1c3
Instruction Fuzzy Hash: E0D01279A026235756221B267C18ECB7A18AFC6B653090615F905A2114CF61DD42B6E1

Function 00F9A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F9A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F9A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F9A468
CloseHandle.KERNEL32(?), ref: 00F9A63D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9b79e8b51b9c00b50b18a91512802c4056cf1686dc5868f174189837e5a33d11
Instruction ID: 40697c057a4b3fc26e82ab73f7d6f9bbcb9af6ae3ce385cd087b338d217eefa4
Opcode Fuzzy Hash: 9b79e8b51b9c00b50b18a91512802c4056cf1686dc5868f174189837e5a33d11
Instruction Fuzzy Hash: B7A1A071604300AFEB20DF24D886F2AB7E5AF84714F14881DF95A9B292DB74EC41DB92

Function 00F4BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FB3700), ref: 00F4BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00FE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F4BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00FE1270,000000FF,?,0000003F,00000000,?), ref: 00F4BC36
_free.LIBCMT ref: 00F4BB7F

Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0

_free.LIBCMT ref: 00F4BD4B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 93ee9bc46de14d1e246d79f715937e054129db4bd33b8ee58b176cc485b541b0
Instruction ID: ee7a89c0fabfa5be03b214e1be265d3d690f513edcb723dbcdb2fa4a350639dc
Opcode Fuzzy Hash: 93ee9bc46de14d1e246d79f715937e054129db4bd33b8ee58b176cc485b541b0
Instruction Fuzzy Hash: B851B771D04209AFDB14DF669CC19AEBFB8FF41320B10426AEA54D7192EB34DE41BB90

Function 00F7E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F7CF22,?), ref: 00F7DDFD

Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F7CF22,?), ref: 00F7DE16

Part of subcall function 00F7E199: GetFileAttributesW.KERNEL32(?,00F7CF95), ref: 00F7E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F7E473
MoveFileW.KERNEL32(?,?), ref: 00F7E4AC
_wcslen.LIBCMT ref: 00F7E5EB
_wcslen.LIBCMT ref: 00F7E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F7E650

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 74ee4556cf30fb5a686aac1903a275766d956768c4a84b78eae3dce590de6ea9
Instruction ID: f0228a570fbe5e6917cea122c957e7ebed187c7daac9480866e804a4f2f6833e
Opcode Fuzzy Hash: 74ee4556cf30fb5a686aac1903a275766d956768c4a84b78eae3dce590de6ea9
Instruction Fuzzy Hash: A45182B24083455BC724DBA0DC819DB73ECAF89350F40495FF689D3151EF78A68897A7

Function 00F9B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9C9F1
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA68
Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F9BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F9BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F9BBB3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 2305928de5f856207909806056f560e06a054ca3effb8fe4b67b67ee2992a5c2
Instruction ID: 3ba1510d97d4a93acb2b7bd66584dab5661794d397a29b5c8db884535c0632e0
Opcode Fuzzy Hash: 2305928de5f856207909806056f560e06a054ca3effb8fe4b67b67ee2992a5c2
Instruction Fuzzy Hash: 93610331208201EFD714DF14C990E6ABBE5FF84318F54855CF4998B2A2CB35ED45EB92

Function 00F78BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F78BCD
VariantClear.OLEAUT32 ref: 00F78C3E
VariantClear.OLEAUT32 ref: 00F78C9D
VariantClear.OLEAUT32(?), ref: 00F78D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F78D3B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7258c0001794f6ef9a1bce8014884e5fb29675c947862ca625af0e134cb53dfa
Instruction ID: b80a6096ec71ec63efff95841d39dc9a57775f1b230c49e18cf4b2a489bc8854
Opcode Fuzzy Hash: 7258c0001794f6ef9a1bce8014884e5fb29675c947862ca625af0e134cb53dfa
Instruction Fuzzy Hash: 13515CB5A00219EFCB14CF58C894AAAB7F8FF8D350B15855AE909DB350E730E912CF90

Function 00F88AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F88BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F88BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F88C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F88C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F88C5F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d4d620d4aa7ca8a7d81dba9c7e383aa4301c2007434fae76851f7b966b8963b4
Instruction ID: 0b4515366b7a140421ee5182fd63271009eeda2b0e3512ceda61e30a5101ce95
Opcode Fuzzy Hash: d4d620d4aa7ca8a7d81dba9c7e383aa4301c2007434fae76851f7b966b8963b4
Instruction Fuzzy Hash: E1514C35A002199FCB05EF64C881AADBBF5FF49314F088458E849AB362DB35ED51EB90

Function 00F98EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F98F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F98FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F98FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F99032
FreeLibrary.KERNEL32(00000000), ref: 00F99052

Part of subcall function 00F2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F81043,?,7735E610), ref: 00F2F6E6
Part of subcall function 00F2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F6FA64,00000000,00000000,?,?,00F81043,?,7735E610,?,00F6FA64), ref: 00F2F70D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 686d0966f9acac9c72bdd1aaaa2182bc5502bc02588e27fafb8586f31f4974a4
Instruction ID: 3313db446366584ca3b47eeffaad73f60e866fbd4676b1fbb5bfbee6241dec4a
Opcode Fuzzy Hash: 686d0966f9acac9c72bdd1aaaa2182bc5502bc02588e27fafb8586f31f4974a4
Instruction Fuzzy Hash: E4517E35A04205DFDB04DF68C4949ADBBF1FF49324F098098E8169B362DB35ED86EB90

Function 00FA6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FA6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00FA6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FA6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F8AB79,00000000,00000000), ref: 00FA6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FA6CC7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 7b0fde73949a813cc12e9048f274a942489635dcf65d2c8532b34c4317e13134
Instruction ID: 4a98de6547877b313be1c0d044f8e8edab37c3a6fda8f13159b9b8e42679355c
Opcode Fuzzy Hash: 7b0fde73949a813cc12e9048f274a942489635dcf65d2c8532b34c4317e13134
Instruction Fuzzy Hash: 1541B3B5A04104AFD724DF28CC54FA97BA5EB4B371F190228F899E73E1C771AD41EA90

Function 00F42051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F420C3
_free.LIBCMT ref: 00F420E3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e90b4c5450ba9fca056c180131fb1adb18f949755dcc60ceab6c5c4b678f5322
Instruction ID: 949b84ccbfb469b3f0ed13d846292349a6fa70420d07fdab38fa0299f1efc3f0
Opcode Fuzzy Hash: e90b4c5450ba9fca056c180131fb1adb18f949755dcc60ceab6c5c4b678f5322
Instruction Fuzzy Hash: 7C41CF32E002049BCB20DF78C880A5EBBF5EF88720F5545B9F915EB356DA31AD01EB80

Function 00F2912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F29141
ScreenToClient.USER32(00000000,?), ref: 00F2915E
GetAsyncKeyState.USER32(00000001), ref: 00F29183
GetAsyncKeyState.USER32(00000002), ref: 00F2919D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c54ae6fedf47dd71d28d97f74801bd10680afdbcce07c4ca5f7455a62442829b
Instruction ID: d1f832c04f5ea1d067020f69b7517d3ac56fa7464b02ac55716350fc2c3d8cdb
Opcode Fuzzy Hash: c54ae6fedf47dd71d28d97f74801bd10680afdbcce07c4ca5f7455a62442829b
Instruction Fuzzy Hash: 22416071A0861ABBDF15AF69D844BEEB774FB06334F204216E429A32D0C7746950EF91

Function 00F83874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F83922
TranslateMessage.USER32(?), ref: 00F8394B
DispatchMessageW.USER32(?), ref: 00F83955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F83966

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 81b44b6f4f1d8f5e430c0c0a0cc7de65d74bcef42fe7e199b870119217987b39
Instruction ID: d622f3cc50b63c73b271d05c017ae446d4f7333896912d891ac6d8afd310c50c
Opcode Fuzzy Hash: 81b44b6f4f1d8f5e430c0c0a0cc7de65d74bcef42fe7e199b870119217987b39
Instruction Fuzzy Hash: E631E571D043899EEB35EB35DC88BF637A9EB05B10F04056DE466860B0E7F4AA85FB11

Function 00F8CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00F8CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00F8CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CFF2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: de44aa4e8d26e2b0bac398c9f09b7ba101112dec961bb19d16fcfc4f7a212445
Instruction ID: 548d1dbe377123704a8411f47e8144a08ac2a23d3c1c6ad482403b65f1ef4619
Opcode Fuzzy Hash: de44aa4e8d26e2b0bac398c9f09b7ba101112dec961bb19d16fcfc4f7a212445
Instruction Fuzzy Hash: 703150B1904205EFEB20EFA5D884AABBBF9EF15354B10442EF616D2140DB34AD45EBB0

Function 00F71901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F71915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F719E2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 80c336edc8980b731f77da87044fa76230072befd0fb8b78124e8113e84965ab
Instruction ID: bcfb8134c6e06e463f76445e7a0f9dee151ca9cc69270981d7245a49ca3e27e6
Opcode Fuzzy Hash: 80c336edc8980b731f77da87044fa76230072befd0fb8b78124e8113e84965ab
Instruction Fuzzy Hash: A231C171A00219EFCB10CFACCD58ADE3BB5FB05324F008226FA25A72D1C3709959EB91

Function 00FA5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FA5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FA579D
_wcslen.LIBCMT ref: 00FA57AF
_wcslen.LIBCMT ref: 00FA57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA5816

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 3f157750d41b12af5d864cfe9a07a849c1ba192d6529c9016715ba975d796eab
Instruction ID: 137cdc5c9156619572a6f8f258312bc2f6cb843d5848bf5b7c96d8c832c72de8
Opcode Fuzzy Hash: 3f157750d41b12af5d864cfe9a07a849c1ba192d6529c9016715ba975d796eab
Instruction Fuzzy Hash: AC2185B5D04618DADB20DFA0CC85AEE77B8FF06B34F108216F919EA180D7749985EF91

Function 00F90930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F90951
GetForegroundWindow.USER32 ref: 00F90968
GetDC.USER32(00000000), ref: 00F909A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F909B0
ReleaseDC.USER32(00000000,00000003), ref: 00F909E8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b66e8f5ba544e34b1cf784b174406b627802648fc147fb2ad11c51d62642cb6e
Instruction ID: 26b83ae87862b5fb90742f45bf63d1f40caa79a1eda658204330e16c3e6bb1b7
Opcode Fuzzy Hash: b66e8f5ba544e34b1cf784b174406b627802648fc147fb2ad11c51d62642cb6e
Instruction Fuzzy Hash: B3218176A00204AFD714EF65CD84AAEBBE9EF45700F048468F84AA7352DB34AC44EB90

Function 00F4CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F4CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4CDE9

Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F4CE0F
_free.LIBCMT ref: 00F4CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4CE31

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 85648a8806a2743cc8dc5c537153505337f9f3f185867c8ecfcc9f03578612a0
Instruction ID: 41074dd1cd0757a4f790f1cc15a6f444036199b4fdc9b0b00c856fbe0c46217c
Opcode Fuzzy Hash: 85648a8806a2743cc8dc5c537153505337f9f3f185867c8ecfcc9f03578612a0
Instruction Fuzzy Hash: 1F0184B2A032157F276116BA6C88D7B7D6DDEC7BA13151129FD05C7201EF658D02B1F0

Function 00F29639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F29693
SelectObject.GDI32(?,00000000), ref: 00F296A2
BeginPath.GDI32(?), ref: 00F296B9
SelectObject.GDI32(?,00000000), ref: 00F296E2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 86700862888fca113c41d52e5d746c544debb63ab0d19de01798345e74af7ae7
Instruction ID: 411f6a8312757a394197a6f9af92c88b46740d7aa8e383558d9af57e4044ac8d
Opcode Fuzzy Hash: 86700862888fca113c41d52e5d746c544debb63ab0d19de01798345e74af7ae7
Instruction Fuzzy Hash: D1219F71806359EFDB119F26EC88BAD3FA8BB01365F104216F410AB1B2D3B49895FF90

Function 00F2990F Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00F298D6
SetBkMode.GDI32(?,00000001), ref: 00F298E9
GetStockObject.GDI32(00000005), ref: 00F298F1
GetWindowLongW.USER32(?,000000EB), ref: 00F29952

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 2c186ea271cc2be81221c996690c41a3743c403770fb3fcbd4d96e4f86db0c3d
Instruction ID: 408cd86b72a05038e461d57a92fb65aa51a2d4f4b46049afc125b540a44da212
Opcode Fuzzy Hash: 2c186ea271cc2be81221c996690c41a3743c403770fb3fcbd4d96e4f86db0c3d
Instruction Fuzzy Hash: 3C1127B29492649FC7218B75FC59BFA3B60AB53331F08015DE5924B1E2C7B14980FB51

Function 00F75711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F75726
_memcmp.LIBVCRUNTIME ref: 00F75744
_memcmp.LIBVCRUNTIME ref: 00F75757
_memcmp.LIBVCRUNTIME ref: 00F7576F
_memcmp.LIBVCRUNTIME ref: 00F75787

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 87f8128c48d2025ab1485b1a7721110376880ad48551ea9c12f9cc0cc5bee0f0
Instruction ID: 5aed0b1e3391286456e0d0b589c728bc4d72cc8b5c57d1d38200ae0b7fc92490
Opcode Fuzzy Hash: 87f8128c48d2025ab1485b1a7721110376880ad48551ea9c12f9cc0cc5bee0f0
Instruction Fuzzy Hash: 94019BA6A4160DFA920C55119D82FBA735D9B617B4F008026FD085E141F7A5EE15B2A2

Function 00F42DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F3F2DE,00F43863,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6), ref: 00F42DFD
_free.LIBCMT ref: 00F42E32
_free.LIBCMT ref: 00F42E59
SetLastError.KERNEL32(00000000,00F11129), ref: 00F42E66
SetLastError.KERNEL32(00000000,00F11129), ref: 00F42E6F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 90bdcec3bdf089326b65378ca413a82c71a8ae1a44536d639d26142529d06195
Instruction ID: 7ba15035ea4806dd112f55e5248e1474d5c6bd0ee2c1443230da4b0be6eea1b9
Opcode Fuzzy Hash: 90bdcec3bdf089326b65378ca413a82c71a8ae1a44536d639d26142529d06195
Instruction Fuzzy Hash: DB01F47360560577CA5267356C85E2B3E6AABD27B1BE40039FC25E2292EE78CC01B160

Function 00F7000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?,?,00F7035E), ref: 00F7002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?), ref: 00F70064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70070

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 85d3f2b8bec18a42c550c8d08ee60faca53b7ac2ea329748e3ff2ae6ff992c55
Instruction ID: 1eb50bf0f5d4d73285e88ad96496c7834600d3996495e4ceb542f2330adf5cb1
Opcode Fuzzy Hash: 85d3f2b8bec18a42c550c8d08ee60faca53b7ac2ea329748e3ff2ae6ff992c55
Instruction Fuzzy Hash: 680162B6600218FFDB114F69DC44BAA7BEDEF48761F148125F909D6210DB75DD40ABA0

Function 00F7E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F7E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F7E9A5
Sleep.KERNEL32(00000000), ref: 00F7E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F7E9B7
Sleep.KERNEL32 ref: 00F7E9F3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4e1446b989289b147cc530fe67f2d67243ec06d62574a44aad26b8968f3e41cd
Instruction ID: 69cc7b2f040950127488b629c47487795b5a85a47c5ac893335cb760cc756d90
Opcode Fuzzy Hash: 4e1446b989289b147cc530fe67f2d67243ec06d62574a44aad26b8968f3e41cd
Instruction Fuzzy Hash: 83015B72D0152DDBCF009BE5DC49ADDBB78BF0E311F004587E606B2241CB349555EBA2

Function 00F710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F7112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F7114D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 42a40c6086b1d7df6323914cc7d8a116a281fae3dbe77d5130e378dd8b944160
Instruction ID: cc4c14f8e76c3580c2846b5220419e4f45812e9d3d1d180a4dd7f0e002b344f2
Opcode Fuzzy Hash: 42a40c6086b1d7df6323914cc7d8a116a281fae3dbe77d5130e378dd8b944160
Instruction Fuzzy Hash: C9011DB5600209BFDB114F69DC49A6A3B7EFF86360B514415FA45D7360DA71DD00AAA0

Function 00F70FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F70FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F70FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F70FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F70FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F71002

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f6c3189d5c388aef546c6b85cdbb31916e3f24bff07c008cbd039e73502fae85
Instruction ID: b54090c9b3b2404fbe9083f903c4f8bc3ee802731c4e1c94d6b32b2319304def
Opcode Fuzzy Hash: f6c3189d5c388aef546c6b85cdbb31916e3f24bff07c008cbd039e73502fae85
Instruction Fuzzy Hash: 1CF049B5600309ABDB214FA99C49F563BADFF8A762F108415FA49C6251DE70DC50AAA0

Function 00F71014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F7102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F71036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71062

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5398ae3fd9ff69d3dc32c5f153b3a51f63a2c0b5a970c417986b46fe5d0f9e69
Instruction ID: b3d88f11d848e15bfabe97d25e6d087f77d428f8ce63bf1498bc72fc45595187
Opcode Fuzzy Hash: 5398ae3fd9ff69d3dc32c5f153b3a51f63a2c0b5a970c417986b46fe5d0f9e69
Instruction Fuzzy Hash: 60F06DB5200309FBDB215FA9EC49F563BAEFF8A761F104415FA49C7251DE70D850AAA0

Function 00F8030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80324
CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80331
CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F8033E
CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F8034B
CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80358
CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80365

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 778dc5edcca292fe31013cd125f31b345bd00eb54986f735c76098a1f0881679
Instruction ID: 41e66d9c761bb7403246ecb94612fbac51a28a2e9c6afd31078bac300a380d33
Opcode Fuzzy Hash: 778dc5edcca292fe31013cd125f31b345bd00eb54986f735c76098a1f0881679
Instruction Fuzzy Hash: 6401AE72801B15DFCB30AF66D880852FBF9BF603253558A3FD19652931CBB1A958EF80

Function 00F4D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F4D752

Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0

_free.LIBCMT ref: 00F4D764
_free.LIBCMT ref: 00F4D776
_free.LIBCMT ref: 00F4D788
_free.LIBCMT ref: 00F4D79A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 99b6dc2da6d8c8b103387ca1bd3ce904ad30d6db63cdd09287d5ee191e88867e
Instruction ID: 6bdfd334b1148a894749ceb9afe35ba0d1628fe32c70232285b7df720c2c6c9e
Opcode Fuzzy Hash: 99b6dc2da6d8c8b103387ca1bd3ce904ad30d6db63cdd09287d5ee191e88867e
Instruction Fuzzy Hash: D4F01232945209AB9665EB69FDC5C167FEEBB447207D40C16F848D7501C734FC80B6A4

Function 00F75C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F75C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F75C6F
MessageBeep.USER32(00000000), ref: 00F75C87
KillTimer.USER32(?,0000040A), ref: 00F75CA3
EndDialog.USER32(?,00000001), ref: 00F75CBD

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d9531f6a0ef2554f504a5a180bb44618de314dc33dd3e95b9c6eee6d67b49cbb
Instruction ID: 6f1d2a870e4f9506a7a706ac398825199432af573d7e86e520111465300e9db1
Opcode Fuzzy Hash: d9531f6a0ef2554f504a5a180bb44618de314dc33dd3e95b9c6eee6d67b49cbb
Instruction Fuzzy Hash: 4801A970500B08ABEB219B20DD4EFA677B8BF01F05F04455AB587A11E1DBF4A994EFD1

Function 00F422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F422BE

Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0

_free.LIBCMT ref: 00F422D0
_free.LIBCMT ref: 00F422E3
_free.LIBCMT ref: 00F422F4
_free.LIBCMT ref: 00F42305

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bee3a393de9961fc1f7995477c0bd5a6870adb9d79605d313cb3508eb05eed34
Instruction ID: c8e76a838b4bc0aa0b08bf3240b5546a28a9261e68bc3f193f9962ec1af7b58d
Opcode Fuzzy Hash: bee3a393de9961fc1f7995477c0bd5a6870adb9d79605d313cb3508eb05eed34
Instruction Fuzzy Hash: 72F05E708011A99B9A52AF6ABC8180D3F79F718770784052BF810DA2B1CB761962FFE4

Function 00F295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F295D4
StrokeAndFillPath.GDI32(?,?,00F671F7,00000000,?,?,?), ref: 00F295F0
SelectObject.GDI32(?,00000000), ref: 00F29603
DeleteObject.GDI32 ref: 00F29616
StrokePath.GDI32(?), ref: 00F29631

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 89856cd60a6d6429b4651ce4d008c3cefcbbcb4992c2a3192ebecdd7ab0949dd
Instruction ID: 92ea5225117b8b87342b3b51788b9cdb6800cdc140cebc8c6e589a3258cbcb5a
Opcode Fuzzy Hash: 89856cd60a6d6429b4651ce4d008c3cefcbbcb4992c2a3192ebecdd7ab0949dd
Instruction Fuzzy Hash: 20F0197140A24CEBDB125F66ED587683FA1BB02332F048214F5259A0F2CB748995FF60

Function 00F40F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F410F9
__freea.LIBCMT ref: 00F41117

Part of subcall function 00F41537: _free.LIBCMT ref: 00F4154F

Strings

am/pm, xrefs: 00F4117A
a/p, xrefs: 00F411DE

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 448769b0a3d1e037c46d72151f2955b90d552e41c9e76eace3be73363ef2bd81
Instruction ID: 321fb26060d3c1cd9bdd5d2c4d6e8a6de0bc2b22d2d49acfecf4a19528e3fa62
Opcode Fuzzy Hash: 448769b0a3d1e037c46d72151f2955b90d552e41c9e76eace3be73363ef2bd81
Instruction Fuzzy Hash: D1D10132E10206CADB288F68C845BFABFB5FF05720F284119ED11AB650D3759EC0EB91

Function 00F97B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F30242: EnterCriticalSection.KERNEL32(00FE070C,00FE1884,?,?,00F2198B,00FE2518,?,?,?,00F112F9,00000000), ref: 00F3024D
Part of subcall function 00F30242: LeaveCriticalSection.KERNEL32(00FE070C,?,00F2198B,00FE2518,?,?,?,00F112F9,00000000), ref: 00F3028A

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F300A3: __onexit.LIBCMT ref: 00F300A9

__Init_thread_footer.LIBCMT ref: 00F97BFB

Part of subcall function 00F301F8: EnterCriticalSection.KERNEL32(00FE070C,?,?,00F28747,00FE2514), ref: 00F30202
Part of subcall function 00F301F8: LeaveCriticalSection.KERNEL32(00FE070C,?,00F28747,00FE2514), ref: 00F30235

Strings

5, xrefs: 00F97C78
G, xrefs: 00F97C7F
Variable must be of type 'Object'., xrefs: 00F97C3A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 19a51148276ae71e772b7f9545bced5d11e403f0a862b1524f9432d8996c8687
Instruction ID: a5b1406ab118fa26158eac45566c1a89195efbbdd6c4b6a2b634f68e1f3d0859
Opcode Fuzzy Hash: 19a51148276ae71e772b7f9545bced5d11e403f0a862b1524f9432d8996c8687
Instruction Fuzzy Hash: 03919A70A14309EFEF04EF54D891DADB7B1BF49310F14805AF806AB292DB71AE81EB51

Function 00F72716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F721D0,?,?,00000034,00000800,?,00000034), ref: 00F7B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F72760

Part of subcall function 00F7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F7B3F8

Part of subcall function 00F7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F7B355
Part of subcall function 00F7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F72194,00000034,?,?,00001004,00000000,00000000), ref: 00F7B365
Part of subcall function 00F7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F72194,00000034,?,?,00001004,00000000,00000000), ref: 00F7B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F7281A

Strings

@, xrefs: 00F72832

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 68e0777a4737f76f9f31b9c35afe97247c75f016e7202fc14ac1f4462c5eecb7
Instruction ID: 3fc7dcb9e90761a4a2a282c20088a0c255172ff833027c230992a008e3f1487c
Opcode Fuzzy Hash: 68e0777a4737f76f9f31b9c35afe97247c75f016e7202fc14ac1f4462c5eecb7
Instruction Fuzzy Hash: E9413D76900218AFDB10DFA4CD45BDEBBB8AF05310F008096FA59B7181DB716E85DBA2

Function 00F4172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\jsLnybSs43.exe,00000104), ref: 00F41769
_free.LIBCMT ref: 00F41834
_free.LIBCMT ref: 00F4183E

Strings

C:\Users\user\Desktop\jsLnybSs43.exe, xrefs: 00F41760, 00F41767, 00F41796, 00F417CE

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\jsLnybSs43.exe
API String ID: 2506810119-1159767723
Opcode ID: e6a2f8e39671edb357c365e1c1b8d5be3aa9975813e7ea65905bef7aa92f1412
Instruction ID: 564c31fd9a81c2d03f14bd7d36cc01f086cec90a373b8722f7d0b25e067190af
Opcode Fuzzy Hash: e6a2f8e39671edb357c365e1c1b8d5be3aa9975813e7ea65905bef7aa92f1412
Instruction Fuzzy Hash: 86316D71E40258ABDB21DB9A9C85D9EBFFCFB85320B144166F904DB211D6748A80EBA0

Function 00F7C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F7C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F7C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FE1990,01945170), ref: 00F7C395

Strings

0, xrefs: 00F7C2DF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9418425d86968558b27d0b7d043510afd7e69be9ab469c359bd346532e6b0b43
Instruction ID: a011dc5559757037ffb25608d12157f18f2ac47a076446645fa79e7724a8b870
Opcode Fuzzy Hash: 9418425d86968558b27d0b7d043510afd7e69be9ab469c359bd346532e6b0b43
Instruction Fuzzy Hash: AE4180716043019FD720DF25DC84B5ABBE8AF85320F14C61EF9A9972D1D774A904EBA3

Function 00FA4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FACC08,00000000,?,?,?,?), ref: 00FA44AA
GetWindowLongW.USER32 ref: 00FA44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA44D7

Strings

SysTreeView32, xrefs: 00FA447C

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5197c472d3aa40dc6c8d7fbb1a604fbca9ffc96f4610eb4eff143061b163f1b2
Instruction ID: 79ba0c3d7692b236b78e4f96d71fba55838f8d9b2d7a7a01d8226453060c7424
Opcode Fuzzy Hash: 5197c472d3aa40dc6c8d7fbb1a604fbca9ffc96f4610eb4eff143061b163f1b2
Instruction Fuzzy Hash: 4B31ADB1610209AFDB20CE78DC45BEA77A9EB8A334F244725FD79921D0D7B4EC50AB50

Function 00F9304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F93077,?,?), ref: 00F93378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F9307A
_wcslen.LIBCMT ref: 00F9309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F93106

Strings

255.255.255.255, xrefs: 00F93095, 00F9309A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 15eb7203cbaa98695e5d9ebf7c3f79970c5011c1a0eb77742c85ad5ecdf06c9a
Instruction ID: 6d8570df5e31715828995ec7eed822218ac04e502d04ae9da477e3a1d31f1f09
Opcode Fuzzy Hash: 15eb7203cbaa98695e5d9ebf7c3f79970c5011c1a0eb77742c85ad5ecdf06c9a
Instruction Fuzzy Hash: DF310935A042059FEF20CF68C885FAA77F0EF15328F148055E4158B3A2D775EE85E760

Function 00FA3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FA3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FA3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA3F78

Strings

SysMonthCal32, xrefs: 00FA3F0B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: adce138441961b48bc4e429b9ab0c445f0f4f37eb481a316235091da51bfea45
Instruction ID: df1b8bfbfa1b1514ea5ab36645e366e6ccaafe2259b3d741888a592970b6ee0e
Opcode Fuzzy Hash: adce138441961b48bc4e429b9ab0c445f0f4f37eb481a316235091da51bfea45
Instruction Fuzzy Hash: 1821EF72A10219BFDF258F50CC42FEA3B79EB49724F110215FA196B1C0D6B5AC50AB90

Function 00FA4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FA4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FA4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FA471A

Strings

msctls_updown32, xrefs: 00FA4684

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 29517373ca6321a0d199773c575b38d5b16382868d351a093d136aed793d3267
Instruction ID: 044b72db6f69d005986c4175334305d8b7af9e246da320bb9c454e55af9c49bc
Opcode Fuzzy Hash: 29517373ca6321a0d199773c575b38d5b16382868d351a093d136aed793d3267
Instruction Fuzzy Hash: AD2130B5600248AFDB10DF64DCC1DAA37ADEB8A3A4B040059F5009B351D771FC51EA60

Function 00F795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F7961D

Strings

#OnAutoItStartRegister, xrefs: 00F795F3
#requireadmin, xrefs: 00F795D9
#notrayicon, xrefs: 00F795B7

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 6e915591e79e1715b5662d4b1e92304629b486fa348aadad38380a25c53be0f5
Instruction ID: a5a843402d75626db021509b7fc077f354af0a4a214af554e5df91bd208b860a
Opcode Fuzzy Hash: 6e915591e79e1715b5662d4b1e92304629b486fa348aadad38380a25c53be0f5
Instruction Fuzzy Hash: 5221387250862166C331BA25DC02FB773E89F91320F148027F94D9B181EBD9AD85F297

Function 00FA37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FA3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FA3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FA3876

Strings

Listbox, xrefs: 00FA380F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: db3ace4d6114574bbd7cec214baf3d45f644c71f95aa5ce7b76947328029e7ec
Instruction ID: f7c6622f908ab5c5ff2167794ccabe89aa5b0eb168e6cae8157ab74f1fb002ed
Opcode Fuzzy Hash: db3ace4d6114574bbd7cec214baf3d45f644c71f95aa5ce7b76947328029e7ec
Instruction Fuzzy Hash: 9521A7B2A141187BEF119F54CC45FBB376EEF8A760F118115F9049B190C675DC51A7E0

Function 00F849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F84A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F84A5C
SetErrorMode.KERNEL32(00000000,?,?,00FACC08), ref: 00F84AD0

Strings

%lu, xrefs: 00F84A6F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 12d91e75015759d190d3fc8018f1c919a0668bdf082dbc3f5c80a20e800c5ed5
Instruction ID: 4cf6df17c15a829fc2989b7d6ab4e9cf426c204fdb69a56b08cddab02fdbc456
Opcode Fuzzy Hash: 12d91e75015759d190d3fc8018f1c919a0668bdf082dbc3f5c80a20e800c5ed5
Instruction Fuzzy Hash: CB318E71A00109AFDB10DF54C881EAA7BF8EF09318F1480A5E909DB252DB75EE45DBA1

Function 00FA41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FA424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FA4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FA4271

Strings

msctls_trackbar32, xrefs: 00FA4226

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6e4df4fc63963c08f26761ac4b340a8dda4f52e83f9dcadb290dc64679912300
Instruction ID: 1862c373ea17d106e7b34e2e1b860b49dfa293fb79a540c7eed39d410b25b825
Opcode Fuzzy Hash: 6e4df4fc63963c08f26761ac4b340a8dda4f52e83f9dcadb290dc64679912300
Instruction Fuzzy Hash: 99110671640248BEEF205F29CC46FAB3BACEFC6B64F010124FA55E6090D6B1EC51AB60

Function 00F72F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A

Part of subcall function 00F72DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F72DC5
Part of subcall function 00F72DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F72DD6
Part of subcall function 00F72DA7: GetCurrentThreadId.KERNEL32 ref: 00F72DDD
Part of subcall function 00F72DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F72DE4

GetFocus.USER32 ref: 00F72F78

Part of subcall function 00F72DEE: GetParent.USER32(00000000), ref: 00F72DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F72FC3
EnumChildWindows.USER32(?,00F7303B), ref: 00F72FEB

Strings

%s%d, xrefs: 00F72FFF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ae9f1fc4c92e1e1be7eacec836bdb37dabaa2424e892523f297d54eb1849d502
Instruction ID: e8b34b84397137b558f2d3acd8e920307c7d0d86fe31364845833c7d28c83d07
Opcode Fuzzy Hash: ae9f1fc4c92e1e1be7eacec836bdb37dabaa2424e892523f297d54eb1849d502
Instruction Fuzzy Hash: E211B4B16002096BCF54BF708C85EED377AAF84314F04807AF90DDB252DE349949BB62

Function 00FA5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FA58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FA58EE
DrawMenuBar.USER32(?), ref: 00FA58FD

Strings

0, xrefs: 00FA588F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a56ca67f5d2b8b68c805db9225c22567b680b2ee8db559bc17ea207b8f07a451
Instruction ID: 7c11b642e7c9d416d80d66f5bd5b4c35c8424efda94fb6d05a593778b742dc6d
Opcode Fuzzy Hash: a56ca67f5d2b8b68c805db9225c22567b680b2ee8db559bc17ea207b8f07a451
Instruction Fuzzy Hash: 7B015E71910218EEDB119F11EC44BAFBBB4FF4A760F1480A9F849DA151DB308A84FF61

Function 00F6D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F6D3BF
FreeLibrary.KERNEL32 ref: 00F6D3E5

Strings

X64, xrefs: 00F6D2A8
GetSystemWow64DirectoryW, xrefs: 00F6D3B9

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: c235d79917900833c9c5c57694fe2f3666bbf2eb5898320e22569994ca622c21
Instruction ID: 29e27f1dedb1f421527d40b921ba2cc42e0b7b60eb6cf37d800331344cae631d
Opcode Fuzzy Hash: c235d79917900833c9c5c57694fe2f3666bbf2eb5898320e22569994ca622c21
Instruction Fuzzy Hash: D1F02BF6F05731DBD77156124C75B693324AF11705B598155F402EA207E760CD44B6D2

Function 00F7007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd9a16cd8fa615747dc87a71586e042815d23f9daf3db393c5765680f2590ba
Instruction ID: 0fe0c1130e8e8671ef8f7200c6533c0d32c5fa90470e64159ae6dafb66628c24
Opcode Fuzzy Hash: bcd9a16cd8fa615747dc87a71586e042815d23f9daf3db393c5765680f2590ba
Instruction Fuzzy Hash: EBC15B75A0020AEFDB14CFA4C894BAEB7B5FF48314F108599E409EB291DB71ED41EB91

Function 00F9342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F93459
CoUninitialize.OLE32 ref: 00F93463
VariantInit.OLEAUT32(?), ref: 00F9346E
VariantClear.OLEAUT32(?), ref: 00F9371B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 96409ab37742e99ac279337fb5396957a69451fddc107862745c0876cb071900
Instruction ID: aea2c54fb277f7f0016487be6217c23efa0ef518c2ce4cb4acfb8b3f3703ebe3
Opcode Fuzzy Hash: 96409ab37742e99ac279337fb5396957a69451fddc107862745c0876cb071900
Instruction Fuzzy Hash: C3A15E756043109FDB10EF24C885E5AB7E5FF88714F088859F9899B362DB34ED41EB92

Function 00F70436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FAFC08,?), ref: 00F705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FAFC08,?), ref: 00F70608
CLSIDFromProgID.OLE32(?,?,00000000,00FACC40,000000FF,?,00000000,00000800,00000000,?,00FAFC08,?), ref: 00F7062D
_memcmp.LIBVCRUNTIME ref: 00F7064E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: aa310294ee77a8c17cc669ba0babd9defd818343fced69a06a5f2810c6d98b78
Instruction ID: 4811171f598963beaafc30d02568a451fe36e42905dee5b2dd43ce5cf6821b7a
Opcode Fuzzy Hash: aa310294ee77a8c17cc669ba0babd9defd818343fced69a06a5f2810c6d98b78
Instruction Fuzzy Hash: D5813971A00109EFCB04DF94C984EEEB7B9FF89315F248159F506AB250DB71AE06DBA1

Function 00F51391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F514C0

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 92acca03f320f0785c16698671e90f298c0dc918014618aea5fa4cf4e2a66b4e
Instruction ID: a56895ace15bb654cec0d6436b5752dde0056be817029fff05bc20c792b51b2c
Opcode Fuzzy Hash: 92acca03f320f0785c16698671e90f298c0dc918014618aea5fa4cf4e2a66b4e
Instruction Fuzzy Hash: E9411932E00500ABDB21EBB99C45BBE3AA5FF43371F144225FE19D6192E67CA8497271

Function 00FA6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0194D7E8,?), ref: 00FA62E2
ScreenToClient.USER32(?,?), ref: 00FA6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FA6382

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 25a64c973ca105fb6fe8f531c8d3525a225eacd89eeb9e6fb90a970aa9033347
Instruction ID: e3b0b8b5183b518d65c0fe589a2704aad9ec0f2a53ce6e2a8478b1706d041c84
Opcode Fuzzy Hash: 25a64c973ca105fb6fe8f531c8d3525a225eacd89eeb9e6fb90a970aa9033347
Instruction Fuzzy Hash: BF511AB4A00249EFDF10DF68D880AAE7BB5FB56360F148169F915DB290D730AD81EB90

Function 00F91AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F91AFD
WSAGetLastError.WSOCK32 ref: 00F91B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F91B8A
WSAGetLastError.WSOCK32 ref: 00F91B94

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f8f9f1db94745257497cd644aeef6f4a1fda7c7d5c99ac7cb3dec4c4663fd341
Instruction ID: 1bea4f391ba08e1b8368bb7639dfb6bdf0a072e24688e290253c6f75731725e2
Opcode Fuzzy Hash: f8f9f1db94745257497cd644aeef6f4a1fda7c7d5c99ac7cb3dec4c4663fd341
Instruction Fuzzy Hash: AA41D135640200AFEB20AF24C886F6577E5AB84718F54C458F91A9F3D3D776ED829B90

Function 00F4B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cbb64a1d831ecfde1d808fd0416dcab25cbe96b4fcd5aa5479f23a78481d0c
Instruction ID: 100caf6a737b3aae161264040b0281cf1c2bea63ca8e6f90c669e6b5090d887e
Opcode Fuzzy Hash: 11cbb64a1d831ecfde1d808fd0416dcab25cbe96b4fcd5aa5479f23a78481d0c
Instruction Fuzzy Hash: BF410872A00304AFD724DF38CC41BAABFA9EB88720F10462AF955DB693D775E9059790

Function 00F856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F85783
GetLastError.KERNEL32(?,00000000), ref: 00F857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F857FA

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f88083662d76be95b40e44970e6a864c6c22dc840b38629e8fdf5bf98bf6bcf9
Instruction ID: ade60578695804578c1549735d209cae9d7877dbeb197ea31b66f0fbbf71cf7b
Opcode Fuzzy Hash: f88083662d76be95b40e44970e6a864c6c22dc840b38629e8fdf5bf98bf6bcf9
Instruction Fuzzy Hash: 49414F35600610DFCB11EF15C844A9DBBF2EF49720B18C488E84A9B366CB34FD41EB91

Function 00F4D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F36D71,00000000,00000000,00F382D9,?,00F382D9,?,00000001,00F36D71,8BE85006,00000001,00F382D9,00F382D9), ref: 00F4D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F4D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F4D9AB
__freea.LIBCMT ref: 00F4D9B4

Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bd121706348d5b01cfd93d6bc7b38f5b17b479a93cf532e7c30073d863c11745
Instruction ID: 689c210517e6966fc01e91c255d5c5e42c5103e98bd386e15c1d3ae1402356da
Opcode Fuzzy Hash: bd121706348d5b01cfd93d6bc7b38f5b17b479a93cf532e7c30073d863c11745
Instruction Fuzzy Hash: 7631BC72A0120AABDF249F64DC45EAE7FA5EB41720F054268FC04D7290EB39DD50EBA0

Function 00FA52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FA5352
GetWindowLongW.USER32(?,000000F0), ref: 00FA5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FA53A8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 448a347dc560f57efd0400d0ad08ed3c6c1c4d9bdd59c8996ae691bd45d1e870
Instruction ID: 551ff8df6748515bd3c26d48bc272a170553737bb13c0616b08b3ec75afef667
Opcode Fuzzy Hash: 448a347dc560f57efd0400d0ad08ed3c6c1c4d9bdd59c8996ae691bd45d1e870
Instruction Fuzzy Hash: EE31D2B5E55B0CFFEF349A54CC45BE83767AB86BA0F584001FA11962E1C7B1A940BB81

Function 00F7AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00F7ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F7AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F7AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00F7ACC6

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 36395ffc4e9a3f2fc72dceef0b048b8e1110543bb94e898b95dac989e2499511
Instruction ID: 10346a1dbd912118b0f3bfd98b75045b9a29531852c3790458175cf1b0f85a14
Opcode Fuzzy Hash: 36395ffc4e9a3f2fc72dceef0b048b8e1110543bb94e898b95dac989e2499511
Instruction Fuzzy Hash: 9B31F670E046187FEF26CB658C05BFE7AA5ABC9320F05D21BE489921D1C375C985A793

Function 00FA7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FA769A
GetWindowRect.USER32(?,?), ref: 00FA7710
PtInRect.USER32(?,?,00FA8B89), ref: 00FA7720
MessageBeep.USER32(00000000), ref: 00FA778C

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fd087d08f412436d9e7ed27e006324afccdd230bf336ae3e2919b501f431f2bb
Instruction ID: 9a6d9514c7e2cac856ac328c15b0f5e08bbfbd6efc641747d53820d6135094e7
Opcode Fuzzy Hash: fd087d08f412436d9e7ed27e006324afccdd230bf336ae3e2919b501f431f2bb
Instruction Fuzzy Hash: F5419CB4A09358DFDB01EF59CC94EA9BBF4BB4A310F1940A9E4149B261C730A941EB90

Function 00FA16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FA16EB

Part of subcall function 00F73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73A57
Part of subcall function 00F73A3D: GetCurrentThreadId.KERNEL32 ref: 00F73A5E
Part of subcall function 00F73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F725B3), ref: 00F73A65

GetCaretPos.USER32(?), ref: 00FA16FF
ClientToScreen.USER32(00000000,?), ref: 00FA174C
GetForegroundWindow.USER32 ref: 00FA1752

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: bf7781c6fdd6a958485c30b1010759a6fbcd2202ee2d6a65294288e417d39ee8
Instruction ID: 66444bf3494643a99b92aa962146c2fefb0c655e35bcef93fd8aa528103b35cd
Opcode Fuzzy Hash: bf7781c6fdd6a958485c30b1010759a6fbcd2202ee2d6a65294288e417d39ee8
Instruction Fuzzy Hash: D0314FB5D00249AFD700EFA9C881CEEBBF9EF49304B5480AAE415E7211D735DE45DBA0

Function 00F7D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F7D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F7D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F7D52F
CloseHandle.KERNEL32(00000000), ref: 00F7D5DC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 65d898ecca3a5b7f88dcd2cfffddc7df58f46f6b59595586b078ea51c7dd4b5d
Instruction ID: e7d2c26d28d53cc935951a5421380c99d66a9fb2c2c2330c12620a0ab7703bda
Opcode Fuzzy Hash: 65d898ecca3a5b7f88dcd2cfffddc7df58f46f6b59595586b078ea51c7dd4b5d
Instruction Fuzzy Hash: E6319E721083009FD300EF54CC81AAFBBF8EF99354F54492EF585821A1EB719984EBA3

Function 00FA8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

GetCursorPos.USER32(?), ref: 00FA9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F67711,?,?,?,?,?), ref: 00FA9016
GetCursorPos.USER32(?), ref: 00FA905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F67711,?,?,?), ref: 00FA9094

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a1380b067ed8ba4de1dce9cf738fa50b75772b4b3888f27fbf730c8b53afbd20
Instruction ID: a8b79b33be88973f906bb5cc5a556f0761821df2b814f2dd605404785ac6ca4a
Opcode Fuzzy Hash: a1380b067ed8ba4de1dce9cf738fa50b75772b4b3888f27fbf730c8b53afbd20
Instruction Fuzzy Hash: 95219175A04018EFDB258FA5DC58EEA7BB9FF8A3A0F148065F5054B261C371A950FB60

Function 00F7D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FACB68), ref: 00F7D2FB
GetLastError.KERNEL32 ref: 00F7D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F7D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FACB68), ref: 00F7D376

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 254589bb211a7f9b1fca9e0e22340404247f4100c53c66df89c4fa0373ee2b89
Instruction ID: 0a9a066c29a04bf902dd0fc4b263ba2177dc8817bf182691894c985ca8c88657
Opcode Fuzzy Hash: 254589bb211a7f9b1fca9e0e22340404247f4100c53c66df89c4fa0373ee2b89
Instruction Fuzzy Hash: 4621A3709083019F8700DF24C8819AA77F4EE56368F908A1EF49DC32A1DB31D945EB93

Function 00F71571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F7102A
Part of subcall function 00F71014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F71036
Part of subcall function 00F71014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71045
Part of subcall function 00F71014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7104C
Part of subcall function 00F71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F715BE
_memcmp.LIBVCRUNTIME ref: 00F715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F71617
HeapFree.KERNEL32(00000000), ref: 00F7161E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 171606e18652020d8cc5b30401fbfc06e304ae1e0bdb9e1889dda1ad50ce4dde
Instruction ID: 66570cda82a23f0c892d4ccd74e44c48da2aa8decad7f3929cd7cedacad21305
Opcode Fuzzy Hash: 171606e18652020d8cc5b30401fbfc06e304ae1e0bdb9e1889dda1ad50ce4dde
Instruction Fuzzy Hash: 2B217C71E00108EFDB14DFA8D945BEEB7B8FF44354F18845AE445AB241E730AA09EB91

Function 00FA2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FA280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FA2840

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b2d9c0d2deb558b8df32775522770d1d83e1bce85501721d6ea79eb65c49c2a0
Instruction ID: a4645fdbf8ad14d83503c0e3c7e1d02254b307507c562c741527bd0aa42d0c71
Opcode Fuzzy Hash: b2d9c0d2deb558b8df32775522770d1d83e1bce85501721d6ea79eb65c49c2a0
Instruction Fuzzy Hash: 2321F171704110AFD7549B28CC44FAA7B95AF46324F188158F4268B6E2CB79FD82DBD0

Function 00F778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F78D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F7790A,?,000000FF,?,00F78754,00000000,?,0000001C,?,?), ref: 00F78D8C
Part of subcall function 00F78D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00F78DB2
Part of subcall function 00F78D7D: lstrcmpiW.KERNEL32(00000000,?,00F7790A,?,000000FF,?,00F78754,00000000,?,0000001C,?,?), ref: 00F78DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F78754,00000000,?,0000001C,?,?,00000000), ref: 00F77923
lstrcpyW.KERNEL32(00000000,?), ref: 00F77949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F78754,00000000,?,0000001C,?,?,00000000), ref: 00F77984

Strings

cdecl, xrefs: 00F7797B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 61ae583220259b04c23d6f7cd31c5bdc138f8669aa4fc9d9dec9375b19606983
Instruction ID: 4cab584048732b93306f46b58276fc5a5f29cfdf2a0606242bb039088e6c5dd4
Opcode Fuzzy Hash: 61ae583220259b04c23d6f7cd31c5bdc138f8669aa4fc9d9dec9375b19606983
Instruction Fuzzy Hash: 5F11D63A211305ABCB156F34DC49E7B77B5FF99390B50802BF94AC7264EB319811E792

Function 00FA7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FA7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FA7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FA7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F8B7AD,00000000), ref: 00FA7D6B

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 65cbb7c61b6dab39de2221e41095859365b1cc973eeea394ccea4289ae564756
Instruction ID: d903f649810646308e77af2a8d961de15221e55cdb3aa07766eb7ace73b6bd95
Opcode Fuzzy Hash: 65cbb7c61b6dab39de2221e41095859365b1cc973eeea394ccea4289ae564756
Instruction Fuzzy Hash: 2F11A5B2A047599FCB10AF29CC04E6A3BA5BF46370B154724F839DB2F0D7309950EB90

Function 00FA5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FA56BB
_wcslen.LIBCMT ref: 00FA56CD
_wcslen.LIBCMT ref: 00FA56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA5816

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 9686825bc784dfd9819d8511c3139dcd3a8c683190679c1045f33eabb6953e1a
Instruction ID: ca6fb28de6901172dc3c5ef4da150dc126ec30294f0cf6e9614192545280875c
Opcode Fuzzy Hash: 9686825bc784dfd9819d8511c3139dcd3a8c683190679c1045f33eabb6953e1a
Instruction Fuzzy Hash: 5611B1F6A0060896DF20DF618C85AEE77BCBF16B70F104026F915D6181EB74DA84EBA1

Function 00F41D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380f930eeb388d2b18cb17e91b53617dab93296fd23c61330ce107993048d50b
Instruction ID: 0090b7d765d7b87a5ee217da7eee1225bcca86d9e6ece99cde7923f3a325f41b
Opcode Fuzzy Hash: 380f930eeb388d2b18cb17e91b53617dab93296fd23c61330ce107993048d50b
Instruction Fuzzy Hash: 22014FF2A0561A7EF62116786CC1F677A2DEF413B8B340326FD31611D2DB649C847160

Function 00F71A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F71A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F71A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F71A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F71A8A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 34d62d75c09fea3622209528c037ead3031bee3914008355c44dac1cf209f942
Instruction ID: 0802b0c18bd8d2fc9ccf32cda9a7c5438bd58c724df06b29770b737d985a619e
Opcode Fuzzy Hash: 34d62d75c09fea3622209528c037ead3031bee3914008355c44dac1cf209f942
Instruction Fuzzy Hash: 58110C7AD01219FFEB11DBA9CD85FADBB78FB08750F204092E604B7290D6716E50EB94

Function 00F7E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F7E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F7E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F7E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F7E24D

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a962e213e901ebbf5ec39e2881d9b25d92fdd27b7bacd51f740b6ff82d54e51d
Instruction ID: b9da5eff80b57ad3ca0720c5ab6602c484c44ac80b9ab13f4495c2e589b4c1ab
Opcode Fuzzy Hash: a962e213e901ebbf5ec39e2881d9b25d92fdd27b7bacd51f740b6ff82d54e51d
Instruction Fuzzy Hash: 47112BB2E0425CBFC7019FA89C45A9F7FADAB45320F008257F818D7291D670CD00A7A1

Function 00F3D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F3CFF9,00000000,00000004,00000000), ref: 00F3D218
GetLastError.KERNEL32 ref: 00F3D224
__dosmaperr.LIBCMT ref: 00F3D22B
ResumeThread.KERNEL32(00000000), ref: 00F3D249

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5d83678ee5d747c94c4e95bf80c74f6d593348290aad5f3215c3d014faa1a02c
Instruction ID: 90173a997b3dc12643d340cb41cba3c9d366a9023650074a13042030c5efecc3
Opcode Fuzzy Hash: 5d83678ee5d747c94c4e95bf80c74f6d593348290aad5f3215c3d014faa1a02c
Instruction Fuzzy Hash: B101D276805208BBDB216BA5EC09BAB7A69DF82731F100229F925921D0CF71C905E6A0

Function 00FA9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2

GetClientRect.USER32(?,?), ref: 00FA9F31
GetCursorPos.USER32(?), ref: 00FA9F3B
ScreenToClient.USER32(?,?), ref: 00FA9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FA9F7A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 54af17434b699d0a27471f8f6fcbe240abba0fb52404f5c8b1a11c4328f8ab92
Instruction ID: 46b0dbfb5859e49f49025a0984060d0d44095f7eacab093be9512733d6dee6c4
Opcode Fuzzy Hash: 54af17434b699d0a27471f8f6fcbe240abba0fb52404f5c8b1a11c4328f8ab92
Instruction Fuzzy Hash: EC1136B290415AAFDF10DF69DC859EE77B8FB46311F000461FA11E7141D374BA81EBA1

Function 00F1600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F1604C
GetStockObject.GDI32(00000011), ref: 00F16060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F1606A

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: db5b076c67e4dd3546d76e3999a0af83f14fa5dc7965dd30b792aaac2de22b3a
Instruction ID: 5f0be766a10e3a9cdd354beab04df7f7d50b96ab4a0470fa082fec099b65aa96
Opcode Fuzzy Hash: db5b076c67e4dd3546d76e3999a0af83f14fa5dc7965dd30b792aaac2de22b3a
Instruction Fuzzy Hash: EC115BB2501548BFEF128FA49C44AEABBA9EF0D3A4F040215FA1492110D7329CA0FBA0

Function 00F33B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F33B56

Part of subcall function 00F33AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F33AD2
Part of subcall function 00F33AA3: ___AdjustPointer.LIBCMT ref: 00F33AED

_UnwindNestedFrames.LIBCMT ref: 00F33B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F33B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F33BA4

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9e5e932ea68d3dbcd64d8f127b9e5014d5130a7a4f7b72e24fa702bf94ee80dc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1F01E972500149BBDF129E95CC46EEB7B69EF98764F044014FE48A6121C73AE961EBA0

Function 00F43073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F113C6,00000000,00000000,?,00F4301A,00F113C6,00000000,00000000,00000000,?,00F4328B,00000006,FlsSetValue), ref: 00F430A5
GetLastError.KERNEL32(?,00F4301A,00F113C6,00000000,00000000,00000000,?,00F4328B,00000006,FlsSetValue,00FB2290,FlsSetValue,00000000,00000364,?,00F42E46), ref: 00F430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F4301A,00F113C6,00000000,00000000,00000000,?,00F4328B,00000006,FlsSetValue,00FB2290,FlsSetValue,00000000), ref: 00F430BF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5b75f349f812fcc0904b785cbd0d81854fecb4e1de48b6b80c0ac97069c64e91
Instruction ID: 369c8e6412267f548f5d6a6854e56ac9b8c6386594470e2b02795e41b1c40a0a
Opcode Fuzzy Hash: 5b75f349f812fcc0904b785cbd0d81854fecb4e1de48b6b80c0ac97069c64e91
Instruction Fuzzy Hash: 5301DB76701226ABCB314B7D9C85A577FD8EF46B75B210720FD05E7140DB21D901E6E0

Function 00F77464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F7747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F77497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F774CA

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 069b0e8b26421019b28113de3067771ad46e836e65227fc0c6ef9039c66e0ad6
Instruction ID: c301dac4a56817474eb8258527eca452a53c9c112facde7c14326a08ff237ddf
Opcode Fuzzy Hash: 069b0e8b26421019b28113de3067771ad46e836e65227fc0c6ef9039c66e0ad6
Instruction Fuzzy Hash: 111161B5219315DBE720DF24DC09F927FFCEB04B04F10C56AAA5AD6191D7B0E904EB92

Function 00F7B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B126

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 876203871653c9f4c0fc3f4192745603528432d502f9cfb29aca35d1992ac5f6
Instruction ID: 0a37c44b0ff2f815a3f5a830a66137c83d34d3b9480c924cf21c9cd377656e5c
Opcode Fuzzy Hash: 876203871653c9f4c0fc3f4192745603528432d502f9cfb29aca35d1992ac5f6
Instruction Fuzzy Hash: B6118B71E0152CE7CF00AFE4E9687EEBB78FF0A311F108086D945B2181CB704651EB92

Function 00F72DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F72DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F72DD6
GetCurrentThreadId.KERNEL32 ref: 00F72DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F72DE4

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ef3f3c3d47b10b5ae82e8a1df5f961be80adcbc7d30f7c05385c1fd7dfc30202
Instruction ID: 4918c081794212979daeb782d06a014d2ea8e42df73ae2429b7ab961a53484ec
Opcode Fuzzy Hash: ef3f3c3d47b10b5ae82e8a1df5f961be80adcbc7d30f7c05385c1fd7dfc30202
Instruction Fuzzy Hash: 04E06DB26012287AD7205B639C0DFEB3E6CEB43BA1F004016B109D11809AA08840E6F1

Function 00FA8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F29693
Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296A2
Part of subcall function 00F29639: BeginPath.GDI32(?), ref: 00F296B9
Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FA8887
LineTo.GDI32(?,?,?), ref: 00FA8894
EndPath.GDI32(?), ref: 00FA88A4
StrokePath.GDI32(?), ref: 00FA88B2

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 15f98967df03a51305d91d880b10f9e5f0dedce26448059f81b39f6e857d7e65
Instruction ID: 7ddecf090f3625819705af2b246590aea2b0224a3f149cd1206c815c4b4664e0
Opcode Fuzzy Hash: 15f98967df03a51305d91d880b10f9e5f0dedce26448059f81b39f6e857d7e65
Instruction Fuzzy Hash: B4F03A76045258BADB125F94AC0DFCE3F59AF06310F448000FA11A50E2CBB95511EBE9

Function 00F298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F298CC
SetTextColor.GDI32(?,?), ref: 00F298D6
SetBkMode.GDI32(?,00000001), ref: 00F298E9
GetStockObject.GDI32(00000005), ref: 00F298F1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6c16219b8a4ee1b8254383ae528bdda508788c70e94f635608260d02592ef8e5
Instruction ID: d4494bb5f9f90e8f0d67471d86bfcad8bfb2490d497f8809a7b80651a3a0387f
Opcode Fuzzy Hash: 6c16219b8a4ee1b8254383ae528bdda508788c70e94f635608260d02592ef8e5
Instruction Fuzzy Hash: 6CE06D71644288AEDB216B74BC09BE83F60EB13736F088219F6FA580E1C7724680AB10

Function 00F7162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F71634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F711D9), ref: 00F7163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F711D9), ref: 00F71648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F711D9), ref: 00F7164F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e4278f2f94680fbf701a073f8e9698c04f8170203ab649d23502518159a9e5e7
Instruction ID: 5caadc0f98027b22dac22709af86485a52ec30aea1e58916edb6d9adcd838015
Opcode Fuzzy Hash: e4278f2f94680fbf701a073f8e9698c04f8170203ab649d23502518159a9e5e7
Instruction Fuzzy Hash: AEE086B1A01215DBD7201FA49D0DB473BBCBF467A1F14C809F245C9080D6344544E791

Function 00F6D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F6D858
GetDC.USER32(00000000), ref: 00F6D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F6D882
ReleaseDC.USER32(?), ref: 00F6D8A3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a38fb8ca51e75167f1ae84f1cd9d3622af0a10b78000eef3e029cc24e3899f15
Instruction ID: de097d6f6a473eeb2f4ef351a53ad16ff9da480fb6dcf43b3cc8c5748a70ce3b
Opcode Fuzzy Hash: a38fb8ca51e75167f1ae84f1cd9d3622af0a10b78000eef3e029cc24e3899f15
Instruction Fuzzy Hash: 4BE09AB5940209DFCB41DFA0D90C66DBBB5FB09311F148459E84AE7350CB389941BF90

Function 00F6D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F6D86C
GetDC.USER32(00000000), ref: 00F6D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F6D882
ReleaseDC.USER32(?), ref: 00F6D8A3

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 94ffb31e5f21f7b09dc2ea295972a20b68590d7dee9d9cbf4cf14313b6c25e32
Instruction ID: d2ccbaca1cf1d56ae8c0eddaf3b6aba213625b809ca9ba951a5bdeb6b6ab1e6c
Opcode Fuzzy Hash: 94ffb31e5f21f7b09dc2ea295972a20b68590d7dee9d9cbf4cf14313b6c25e32
Instruction Fuzzy Hash: A2E092B5800208EFCB51EFA0D80866EBBB5BB09311B148449E94AE7360CB389942BF90

Function 00F84D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F84ED4

Strings

*, xrefs: 00F84E10
LPT, xrefs: 00F84DFB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6e887d008b7c4db156192fedc23babb02c3d12e8300bf3f24db940cf917674eb
Instruction ID: f47f3a68d9d9d989052617d25fc56ecc0d6dcf3c39b4bf5a978353654de2c641
Opcode Fuzzy Hash: 6e887d008b7c4db156192fedc23babb02c3d12e8300bf3f24db940cf917674eb
Instruction Fuzzy Hash: 48913C75A002059FCB14EF58C884EEABBF1AF44314F19809DE90A9F3A2D735ED85DB91

Function 00F3E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F3E30D

Strings

pow, xrefs: 00F3E2E5, 00F3E302

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 30aad09ac9ec555d3b904b5bb49d5bf2579d60cfde808957fef80490eee62894
Instruction ID: d204426f008871a343637c4f1cf81205bd5401bfd04b9d2d9cf75c30eb5e1faf
Opcode Fuzzy Hash: 30aad09ac9ec555d3b904b5bb49d5bf2579d60cfde808957fef80490eee62894
Instruction Fuzzy Hash: 33516B61E1C30696CB157724CD413BA3FA4EF40770F348E68E8D5823E9EB348C95BA86

Function 00F2E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F2E1B1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9b3ee71eed9d3819ee4ba8ed666415e336164d9c782f5bc83d4b881ffa06e773
Instruction ID: 0dddadd7a2dcfc6b4acc5074d3fb30c7a09783cf88203b707b243d474ae2aa19
Opcode Fuzzy Hash: 9b3ee71eed9d3819ee4ba8ed666415e336164d9c782f5bc83d4b881ffa06e773
Instruction Fuzzy Hash: 6F51367AD04256DFDF15DF28D4416FA7BA8EF55320F344055ECA29B2C0D6349D42EBA0

Function 00F2F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F2F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F2F2BB

Strings

@, xrefs: 00F2F2AF

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5bff894f9d9264a75b7a5797fd2bbb54449dc2f046434c77990bbd41b1c45e15
Instruction ID: ea68aaff0db99a935bf3974eda544f1240d8066d19a5b7f901e44f4d86b321ac
Opcode Fuzzy Hash: 5bff894f9d9264a75b7a5797fd2bbb54449dc2f046434c77990bbd41b1c45e15
Instruction Fuzzy Hash: 825136714087489BD320AF10DC86BAFBBF8FF85300F81885DF1D9421A5EB749569DBA6

Function 00F95745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F957E0
_wcslen.LIBCMT ref: 00F957EC

Strings

CALLARGARRAY, xrefs: 00F957E6, 00F957EB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 4d7a221de1ed98c87bf61829b4f829ce412533912fc73844f38cfbffcfdfe4f9
Instruction ID: d90f5c211101becc13aaaed3e03eb7eac513cd203642ff0f26c9e915d93d1214
Opcode Fuzzy Hash: 4d7a221de1ed98c87bf61829b4f829ce412533912fc73844f38cfbffcfdfe4f9
Instruction Fuzzy Hash: E241BE71E002099FDF14EFA9C8859EEBBB5EF59720F108029E505A7252EB349D81EB90

Function 00F8D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F8D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F8D13A

Strings

|, xrefs: 00F8D10B

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 272aafe7dcd88f224397746fbd9dea9c059b53046331ddcad1d58af4b5225737
Instruction ID: f22ad338668a4be6e47b5eb5ac532db52cb451f8835c22bb0da49d82d96289de
Opcode Fuzzy Hash: 272aafe7dcd88f224397746fbd9dea9c059b53046331ddcad1d58af4b5225737
Instruction Fuzzy Hash: 40317E71D00209ABDF11EFA5CC85EEEBFB9FF04310F000019F815A6162EB35AA46EB64

Function 00FA356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FA3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FA365C

Strings

static, xrefs: 00FA35BC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 06ea941c66746dd0ceff467c36898513c0e47c5fcfa98496b01d57c906c61772
Instruction ID: df153e2bde81b209198f522c969d53ac2ebb6ab88e8b75bd09350e638251d86d
Opcode Fuzzy Hash: 06ea941c66746dd0ceff467c36898513c0e47c5fcfa98496b01d57c906c61772
Instruction Fuzzy Hash: 4D3190B1510204AEDB10DF68DC80EFB73A9FF89760F008619F8A5D7280DA35ED81E760

Function 00FA4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FA461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA4634

Strings

', xrefs: 00FA458E

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0983fdb7967083f95a51f34822a9ee118a85566ee831861dcea77658c5f9c5e9
Instruction ID: b2b096533fdea223bae625790c98ad79232e3a8d7d78fdc1cd4b2bb3a12c52c8
Opcode Fuzzy Hash: 0983fdb7967083f95a51f34822a9ee118a85566ee831861dcea77658c5f9c5e9
Instruction Fuzzy Hash: FC3119B5E012099FDB14CF69C990BDABBB5FF8A310F14406AE905AB391D7B0A941DF90

Function 00FA31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FA327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA3287

Strings

Combobox, xrefs: 00FA3249

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 58c366c2eed0ede17797aad954d806d15a502b76dcc77fddd6591e8ec87c8877
Instruction ID: 0cc821732c9b568eacb099c817c537ade49bc9312f2241a71d9eb91187963068
Opcode Fuzzy Hash: 58c366c2eed0ede17797aad954d806d15a502b76dcc77fddd6591e8ec87c8877
Instruction Fuzzy Hash: D311B6B17002087FEF219E54DC81FBB379AEB563A4F104125F91897290D6719D51A7A0

Function 00FA3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F1604C
Part of subcall function 00F1600E: GetStockObject.GDI32(00000011), ref: 00F16060
Part of subcall function 00F1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F1606A

GetWindowRect.USER32(00000000,?), ref: 00FA377A
GetSysColor.USER32(00000012), ref: 00FA3794

Strings

static, xrefs: 00FA3757

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 63ea269c6c9ba3cae0011cca47d1018268a4832255a5ff59913456a8c74920ac
Instruction ID: 602068964395133cc99019e27ef04f8c88b53952905b971907f8da78db813575
Opcode Fuzzy Hash: 63ea269c6c9ba3cae0011cca47d1018268a4832255a5ff59913456a8c74920ac
Instruction Fuzzy Hash: D91129B2610209AFDB00DFA8CC45EFA7BB8FB09354F004514F955E2250E775E951ABA0

Function 00F8CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F8CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F8CDA6

Strings

<local>, xrefs: 00F8CD66

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: aebd8f46414c1061f6efba7602c175b2bcec1628cceff57983f305b662d17b68
Instruction ID: 105612300cbf0ca2a0aae5619b7168edab3da0ac048be1963868f4a27234a02b
Opcode Fuzzy Hash: aebd8f46414c1061f6efba7602c175b2bcec1628cceff57983f305b662d17b68
Instruction Fuzzy Hash: EB11A3776056367AD7246B668C45FE7BEA9EB127B4F004226B52983180D6709841E7F0

Function 00FA3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FA34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FA34BA

Strings

edit, xrefs: 00FA348F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2ce3126190d2573f042bb3b0a04a0706a4c8fb129e476eb893f04c6a6b1b9022
Instruction ID: 52d891637dda853817384584829ddc2f05e6ebb1cafcad89b9c54cf3fb58fa8a
Opcode Fuzzy Hash: 2ce3126190d2573f042bb3b0a04a0706a4c8fb129e476eb893f04c6a6b1b9022
Instruction Fuzzy Hash: 2B118FB1900208AFEB118E64DC44AEB3B6AEB0A374F504324FD65971D4C775DD91BB90

Function 00F76C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F76CB6
_wcslen.LIBCMT ref: 00F76CC2

Strings

STOP, xrefs: 00F76CBC, 00F76CC1

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 347ec28b101649dd8395c89fed4ff1a32e30d1b39ac63a46baa266228c16828e
Instruction ID: 6d5f7290b4885c76b96661a4161649816107b9c2149a7ae8bd8199765830b77c
Opcode Fuzzy Hash: 347ec28b101649dd8395c89fed4ff1a32e30d1b39ac63a46baa266228c16828e
Instruction Fuzzy Hash: 29010433A109278ACB219FBDDC809BF33A5EA61720B104526E856D6190EB35D940E691

Function 00F71CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F71D4C

Strings

ListBox, xrefs: 00F71D16
ComboBox, xrefs: 00F71CEB

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 115cf3d0198cdcf91e2cb6e9b64f6f8f863705b114cfec9d643003b9bfa96681
Instruction ID: 3a49bf12888d66779b5eea29638381fdc1d82f31523bbb67467690329962be33
Opcode Fuzzy Hash: 115cf3d0198cdcf91e2cb6e9b64f6f8f863705b114cfec9d643003b9bfa96681
Instruction Fuzzy Hash: 8C012D71A001146BCB14EBA4CC11DFE73A5FB423A0B04450BF866573C1EA74590CBAA2

Function 00F71BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F71C46

Strings

ListBox, xrefs: 00F71C10
ComboBox, xrefs: 00F71BE5

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 440c95c62087cee6df7031902db2a1cccdc20fb6406b05e14ac1f5d43c4ed520
Instruction ID: 03f8563a0870cf88ae57b8a8f11302abc1cdc49dcf398963f01373d3d0332d68
Opcode Fuzzy Hash: 440c95c62087cee6df7031902db2a1cccdc20fb6406b05e14ac1f5d43c4ed520
Instruction Fuzzy Hash: 9801FC75A4010466CB05E7D4CD52EFF73A8AB11340F24001BA80A672C1EA649E0CB6F3

Function 00F71C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F71CC8

Strings

ListBox, xrefs: 00F71C94
ComboBox, xrefs: 00F71C69

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7f32eae310c740b67d3b75e887c6cd0a22d82b40249b60d6851b954700054461
Instruction ID: ba807a6582c900a999ab07db0dffc6a2a8f119898b019e53cefbd522e83a2225
Opcode Fuzzy Hash: 7f32eae310c740b67d3b75e887c6cd0a22d82b40249b60d6851b954700054461
Instruction Fuzzy Hash: 9101A775B4011866CB05EBD4CE12EFE73A8AB11350B544017B84A73281EA649F0CB6B3

Function 00F71D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD

Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F71DD3

Strings

ListBox, xrefs: 00F71DA0
ComboBox, xrefs: 00F71D75

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e7fa13b3578d7acde9562a6088a7de34b04e61894d74ebcc7af917ddfbec0f5d
Instruction ID: 8ac308212577df7be3162891a2ef0a23450e5903d03fcd29a52827bba4abb938
Opcode Fuzzy Hash: e7fa13b3578d7acde9562a6088a7de34b04e61894d74ebcc7af917ddfbec0f5d
Instruction Fuzzy Hash: D7F02D71B4021876C714F7A8CC52FFF73B8BB02350F040917B866632C1DA64590CB6E2

Function 00F9747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F97493
_wcslen.LIBCMT ref: 00F974B9

Strings

3, 3, 16, 1, xrefs: 00F97483

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7cb2bafdfae7d777239f28c19e66b1162d12c8219690308e77fbf771b53bce80
Instruction ID: 84034bbc79905ab07daac19ba767ab3b58f2abcaa95f508c4324fb8c91d635d9
Opcode Fuzzy Hash: 7cb2bafdfae7d777239f28c19e66b1162d12c8219690308e77fbf771b53bce80
Instruction Fuzzy Hash: 4BE02B0262532050A731327D9CC1B7F6789CFC9770B14182BF985C2267EA9CED91B3A1

Function 00F70B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F70B23

Strings

Error allocating memory., xrefs: 00F70B1C
AutoIt, xrefs: 00F70B17

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 4dc5fe9f52fdd59af0eddbd10c838a12bdd6865aa181e704dc2a18baeb006921
Instruction ID: 3465a23f82c9a2b3eaa0965c6e3cdd4e524cfba640cdd634c08aef8dca986bf1
Opcode Fuzzy Hash: 4dc5fe9f52fdd59af0eddbd10c838a12bdd6865aa181e704dc2a18baeb006921
Instruction Fuzzy Hash: CCE0D83124431826D21037547C03F897A848F06F20F100427F758955C38EE5649076EA

Function 00F30D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F2F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F30D71,?,?,?,00F1100A), ref: 00F2F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F1100A), ref: 00F30D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F1100A), ref: 00F30D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F30D7F

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 52186c3a1272bc97f7b195b2a903f275698b33f2241dc623c4e316f78dfe33c9
Instruction ID: 1e7a23955001cf4ce6c3ac68cb2959a45474d62915aeb52e6480bf066ffbea14
Opcode Fuzzy Hash: 52186c3a1272bc97f7b195b2a903f275698b33f2241dc623c4e316f78dfe33c9
Instruction Fuzzy Hash: C6E06DB02003518BD3209FB8E8547467BE4AF05750F00492EE482CA656DFB5E488AB91

Function 00F6D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F6D220

Strings

%.3d, xrefs: 00F6D22B
X64, xrefs: 00F6D2A8

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8e31a2b4f7c6d5615df23662b68cb07d16acd5a3dd57d6f51989aafa10508534
Instruction ID: 163196761844471aee7d558133fe1261b4a649f67a012a7f7967a3e1c83d8587
Opcode Fuzzy Hash: 8e31a2b4f7c6d5615df23662b68cb07d16acd5a3dd57d6f51989aafa10508534
Instruction Fuzzy Hash: D4D012A2D08119E9CB9096D0DC55AB9B3BCAB09301F548462F806D1040E728C5087761

Function 00FA2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA236C
PostMessageW.USER32(00000000), ref: 00FA2373

Part of subcall function 00F7E97B: Sleep.KERNEL32 ref: 00F7E9F3

Strings

Shell_TrayWnd, xrefs: 00FA2365

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3e798419214da97b236ef4462a3f5bb7f8d9377113f9743293c8c6bba7e87d59
Instruction ID: 5f6a7668ee46da97eccc00aea8a237611efc7ce661aa252ec1d2b949674f5b0f
Opcode Fuzzy Hash: 3e798419214da97b236ef4462a3f5bb7f8d9377113f9743293c8c6bba7e87d59
Instruction Fuzzy Hash: 7FD022723C03047BE264B730DC0FFC676149B0AB00F0049037309EA2D0C8F0B800DA84

Function 00FA2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FA233F

Part of subcall function 00F7E97B: Sleep.KERNEL32 ref: 00F7E9F3

Strings

Shell_TrayWnd, xrefs: 00FA2325

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b525ae0211ec6a2a59f223cd712a17e155b08119adbdc0b362bd0e8b27159f08
Instruction ID: 5e0ec2c475176ec5da46ede4df462dd256d111a83897e463d50a1de4d4911db6
Opcode Fuzzy Hash: b525ae0211ec6a2a59f223cd712a17e155b08119adbdc0b362bd0e8b27159f08
Instruction Fuzzy Hash: DFD02276380304BBE264B730DC0FFC67A149B05B00F0049037309EA2D0C8F0A800DA80

Function 00F4BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F4BE93
GetLastError.KERNEL32 ref: 00F4BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F4BEFC

Memory Dump Source

Source File: 00000000.00000002.1400324683.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.1400289719.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1400862043.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401153361.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401228505.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_jsLnybSs43.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 440e1e87d09d63afc5889210e97f08a9bc82c56d00c5f8f5ad3f7ab2b1e7adbe
Instruction ID: 45e6fe30a0f7bf5abe0cebc5cab4277e0314427fba86feda2a559b953256f567
Opcode Fuzzy Hash: 440e1e87d09d63afc5889210e97f08a9bc82c56d00c5f8f5ad3f7ab2b1e7adbe
Instruction Fuzzy Hash: 6041A035A04206ABDB218FA5CC44AAA7FA5AF42330F144169FD5D9B2A3DB30DD05FB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jsLnybSs43.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

C:\Users\user\AppData\Local\Temp\aut7353.tmp

C:\Users\user\AppData\Local\Temp\aut7393.tmp

C:\Users\user\AppData\Local\Temp\aut777A.tmp

C:\Users\user\AppData\Local\Temp\aut7827.tmp

C:\Users\user\AppData\Local\Temp\autEE7E.tmp

C:\Users\user\AppData\Local\Temp\autEECE.tmp

C:\Users\user\AppData\Local\Temp\demonetising

C:\Users\user\AppData\Local\Temp\sulfhydric

C:\Users\user\AppData\Local\directory\name.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

C:\Users\user\AppData\Roaming\newfile\newfile.exe

Windows Analysis Report
jsLnybSs43.exe

Function 00F142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00F142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00F52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre