Edit tour

Windows Analysis Report
rRFQ_025261-97382.exe

Overview

General Information

Sample name:	rRFQ_025261-97382.exe
Analysis ID:	1480058
MD5:	508128551f3b5bd0b8aa67778787192b
SHA1:	20109fb53468184a37748f5a5a9e8e6604768822
SHA256:	28598b988b1838de1db1d09ee5e7ef40353622ac2532259137dc8199697dba37
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rRFQ_025261-97382.exe (PID: 6052 cmdline: "C:\Users\user\Desktop\rRFQ_025261-97382.exe" MD5: 508128551F3B5BD0B8AA67778787192B)

RegSvcs.exe (PID: 1612 cmdline: "C:\Users\user\Desktop\rRFQ_025261-97382.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 2156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1484 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6756118950:AAGfdfhshYm8ER28iBEbbJy5ae-eVJaOJUM/sendMessage?chat_id=6278563907"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14750:$a1: get_encryptedPassword 0x14a3c:$a2: get_encryptedUsername 0x1455c:$a3: get_timePasswordChanged 0x14657:$a4: get_passwordField 0x14766:$a5: set_encryptedPassword 0x15d37:$a7: get_logins 0x15c9a:$a10: KeyLoggerEventArgs 0x15933:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x196a4:$x1: $%SMTPDV$ 0x18088:$x2: $#TheHashHere%& 0x1964c:$x3: %FTPDV$ 0x18028:$x4: $%TelegramDv$ 0x15933:$x5: KeyLoggerEventArgs 0x15c9a:$x5: KeyLoggerEventArgs 0x19670:$m2: Clipboard Logs ID 0x198ae:$m2: Screenshot Logs ID 0x199be:$m2: keystroke Logs ID 0x19c98:$m3: SnakePW 0x19886:$m4: \SnakeKeylogger\
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14950:$a1: get_encryptedPassword 0x14c3c:$a2: get_encryptedUsername 0x1475c:$a3: get_timePasswordChanged 0x14857:$a4: get_passwordField 0x14966:$a5: set_encryptedPassword 0x15f37:$a7: get_logins 0x15e9a:$a10: KeyLoggerEventArgs 0x15b33:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c25a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b48c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8bf:$a4: \Orbitum\User Data\Default\Login Data 0x1c8fe:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154b7:$s1: UnHook 0x154be:$s2: SetHook 0x154c6:$s3: CallNextHook 0x154d3:$s4: _hook
00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a4:$x1: $%SMTPDV$ 0x18288:$x2: $#TheHashHere%& 0x1984c:$x3: %FTPDV$ 0x18228:$x4: $%TelegramDv$ 0x15b33:$x5: KeyLoggerEventArgs 0x15e9a:$x5: KeyLoggerEventArgs 0x19870:$m2: Clipboard Logs ID 0x19aae:$m2: Screenshot Logs ID 0x19bbe:$m2: keystroke Logs ID 0x19e98:$m3: SnakePW 0x19a86:$m4: \SnakeKeylogger\
00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rRFQ_025261-97382.exe PID: 6052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rRFQ_025261-97382.exe PID: 6052	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: rRFQ_025261-97382.exe PID: 6052	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17cbd4:$a1: get_encryptedPassword 0x17ceb6:$a2: get_encryptedUsername 0x17c9ea:$a3: get_timePasswordChanged 0x17cae5:$a4: get_passwordField 0x17cbea:$a5: set_encryptedPassword 0x17efd7:$a7: get_logins 0x17ef3a:$a10: KeyLoggerEventArgs 0x17ebd3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: rRFQ_025261-97382.exe PID: 6052	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ebd3:$x5: KeyLoggerEventArgs 0x17ef3a:$x5: KeyLoggerEventArgs 0x17f4f7:$x5: KeyLoggerEventArgs 0x17f82b:$x5: KeyLoggerEventArgs 0x1810ec:$m2: Clipboard Logs ID 0x1811f2:$m2: Screenshot Logs ID 0x181248:$m2: keystroke Logs ID 0x18137d:$m3: SnakePW 0x1811de:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 1612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1612	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 1612	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x25120:$a1: get_encryptedPassword 0x25402:$a2: get_encryptedUsername 0x24f36:$a3: get_timePasswordChanged 0x25031:$a4: get_passwordField 0x25136:$a5: set_encryptedPassword 0x27523:$a7: get_logins 0x27486:$a10: KeyLoggerEventArgs 0x2711f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 1612	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2711f:$x5: KeyLoggerEventArgs 0x27486:$x5: KeyLoggerEventArgs 0x27a43:$x5: KeyLoggerEventArgs 0x27d77:$x5: KeyLoggerEventArgs 0x29638:$m2: Clipboard Logs ID 0x2973e:$m2: Screenshot Logs ID 0x29794:$m2: keystroke Logs ID 0x298c9:$m3: SnakePW 0x2972a:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14950:$a1: get_encryptedPassword 0x14c3c:$a2: get_encryptedUsername 0x1475c:$a3: get_timePasswordChanged 0x14857:$a4: get_passwordField 0x14966:$a5: set_encryptedPassword 0x15f37:$a7: get_logins 0x15e9a:$a10: KeyLoggerEventArgs 0x15b33:$a11: KeyLoggerEventArgsEventHandler
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c25a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b48c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8bf:$a4: \Orbitum\User Data\Default\Login Data 0x1c8fe:$a5: \Kometa\User Data\Default\Login Data
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154b7:$s1: UnHook 0x154be:$s2: SetHook 0x154c6:$s3: CallNextHook 0x154d3:$s4: _hook
0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a4:$x1: $%SMTPDV$ 0x18288:$x2: $#TheHashHere%& 0x1984c:$x3: %FTPDV$ 0x18228:$x4: $%TelegramDv$ 0x15b33:$x5: KeyLoggerEventArgs 0x15e9a:$x5: KeyLoggerEventArgs 0x19870:$m2: Clipboard Logs ID 0x19aae:$m2: Screenshot Logs ID 0x19bbe:$m2: keystroke Logs ID 0x19e98:$m3: SnakePW 0x19a86:$m4: \SnakeKeylogger\
0.2.rRFQ_025261-97382.exe.4020000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rRFQ_025261-97382.exe.4020000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.rRFQ_025261-97382.exe.4020000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b50:$a1: get_encryptedPassword 0x12e3c:$a2: get_encryptedUsername 0x1295c:$a3: get_timePasswordChanged 0x12a57:$a4: get_passwordField 0x12b66:$a5: set_encryptedPassword 0x14137:$a7: get_logins 0x1409a:$a10: KeyLoggerEventArgs 0x13d33:$a11: KeyLoggerEventArgsEventHandler
0.2.rRFQ_025261-97382.exe.4020000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a45a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1968c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19abf:$a4: \Orbitum\User Data\Default\Login Data 0x1aafe:$a5: \Kometa\User Data\Default\Login Data
0.2.rRFQ_025261-97382.exe.4020000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x136b7:$s1: UnHook 0x136be:$s2: SetHook 0x136c6:$s3: CallNextHook 0x136d3:$s4: _hook
0.2.rRFQ_025261-97382.exe.4020000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17aa4:$x1: $%SMTPDV$ 0x16488:$x2: $#TheHashHere%& 0x17a4c:$x3: %FTPDV$ 0x16428:$x4: $%TelegramDv$ 0x13d33:$x5: KeyLoggerEventArgs 0x1409a:$x5: KeyLoggerEventArgs 0x17a70:$m2: Clipboard Logs ID 0x17cae:$m2: Screenshot Logs ID 0x17dbe:$m2: keystroke Logs ID 0x18098:$m3: SnakePW 0x17c86:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14950:$a1: get_encryptedPassword 0x14c3c:$a2: get_encryptedUsername 0x1475c:$a3: get_timePasswordChanged 0x14857:$a4: get_passwordField 0x14966:$a5: set_encryptedPassword 0x15f37:$a7: get_logins 0x15e9a:$a10: KeyLoggerEventArgs 0x15b33:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c25a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b48c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b8bf:$a4: \Orbitum\User Data\Default\Login Data 0x1c8fe:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x154b7:$s1: UnHook 0x154be:$s2: SetHook 0x154c6:$s3: CallNextHook 0x154d3:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a4:$x1: $%SMTPDV$ 0x18288:$x2: $#TheHashHere%& 0x1984c:$x3: %FTPDV$ 0x18228:$x4: $%TelegramDv$ 0x15b33:$x5: KeyLoggerEventArgs 0x15e9a:$x5: KeyLoggerEventArgs 0x19870:$m2: Clipboard Logs ID 0x19aae:$m2: Screenshot Logs ID 0x19bbe:$m2: keystroke Logs ID 0x19e98:$m3: SnakePW 0x19a86:$m4: \SnakeKeylogger\
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6756118950:AAGfdfhshYm8ER28iBEbbJy5ae-eVJaOJUM/sendMessage?chat_id=6278563907"}

Multi AV Scanner detection for submitted file

Source: rRFQ_025261-97382.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rRFQ_025261-97382.exe

Joe Sandbox ML: detected

Source: rRFQ_025261-97382.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: HP<o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERC640.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbMZ source: WERC640.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: rRFQ_025261-97382.exe, 00000000.00000003.1428051889.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rRFQ_025261-97382.exe, 00000000.00000003.1422045873.00000000041F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rRFQ_025261-97382.exe, 00000000.00000003.1428051889.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rRFQ_025261-97382.exe, 00000000.00000003.1422045873.00000000041F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbG source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb66\|I(L source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC640.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC640.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb2 source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb\| source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdbMZ source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbp source: WERC640.tmp.dmp.5.dr
Source:	Binary string: @Ho.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC640.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0027DBBE
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0024C2A2 FindFirstFileExW,	0_2_0024C2A2
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002868EE FindFirstFileW,FindClose,	0_2_002868EE
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0028698F
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0027D076
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0027D3A9
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00289642
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028979D
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00289B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00289B2B
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00285C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00285C97

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0028CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0028CE44

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: RegSvcs.exe, 00000002.00000002.1561069450.0000000002C05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.1561069450.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1561069450.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: rRFQ_025261-97382.exe, 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: rRFQ_025261-97382.exe, 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0028EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0028EAFF

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0028ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0028ED6A

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

0_2_0028EAFF

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0027AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0027AA57

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002A9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: rRFQ_025261-97382.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rRFQ_025261-97382.exe, 00000000.00000000.1411649569.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ad4d11b0-3
Source: rRFQ_025261-97382.exe, 00000000.00000000.1411649569.00000000002D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_43294339-0
Source: rRFQ_025261-97382.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ad07f87-0
Source: rRFQ_025261-97382.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_05b02ecd-d

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rRFQ_025261-97382.exe

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0027D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0027D5EB

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00271201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00271201

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0027E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0027E8F6

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0021BF40	0_2_0021BF40
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00218060	0_2_00218060
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00282046	0_2_00282046
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00278298	0_2_00278298
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0024E4FF	0_2_0024E4FF
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0024676B	0_2_0024676B
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002A4873	0_2_002A4873
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0023CAA0	0_2_0023CAA0
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0021CAF0	0_2_0021CAF0
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0022CC39	0_2_0022CC39
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00246DD9	0_2_00246DD9
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0022B119	0_2_0022B119
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002191C0	0_2_002191C0
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00231394	0_2_00231394
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00231706	0_2_00231706
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0023781B	0_2_0023781B
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00217920	0_2_00217920
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0022997D	0_2_0022997D
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002319B0	0_2_002319B0
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00237A4A	0_2_00237A4A
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00231C77	0_2_00231C77
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00237CA7	0_2_00237CA7
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0029BE44	0_2_0029BE44
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00249EEE	0_2_00249EEE
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00231F32	0_2_00231F32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01183578	2_2_01183578

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: String function: 00219CB3 appears 31 times
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: String function: 0022F9F2 appears 40 times
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: String function: 00230A30 appears 46 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1484

Source: rRFQ_025261-97382.exe, 00000000.00000003.1423075573.0000000004173000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rRFQ_025261-97382.exe
Source: rRFQ_025261-97382.exe, 00000000.00000003.1422706287.000000000431D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rRFQ_025261-97382.exe
Source: rRFQ_025261-97382.exe, 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rRFQ_025261-97382.exe

Source: rRFQ_025261-97382.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, c--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, c--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, --.cs

Base64 encoded string: 'T4tI0cT/vkSQcoEYUnIwOBRWaWtFWVOqdIftp3t0uvAzFq88foD78e9PlhRVO9KP'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/9@1/1

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002837B5 GetLastError,FormatMessageW,

0_2_002837B5

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002710BF AdjustTokenPrivileges,CloseHandle,		0_2_002710BF
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002716C3

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002851CD

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0029A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0029A67C

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0028648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0028648E

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002142A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1612

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

File created: C:\Users\user\AppData\Local\Temp\autA153.tmp

Jump to behavior

Source: rRFQ_025261-97382.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rRFQ_025261-97382.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\rRFQ_025261-97382.exe "C:\Users\user\Desktop\rRFQ_025261-97382.exe"
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rRFQ_025261-97382.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1484
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rRFQ_025261-97382.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: rRFQ_025261-97382.exe

Static file information: File size 1230336 > 1048576

Source: rRFQ_025261-97382.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rRFQ_025261-97382.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rRFQ_025261-97382.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rRFQ_025261-97382.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rRFQ_025261-97382.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rRFQ_025261-97382.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rRFQ_025261-97382.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: HP<o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERC640.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbMZ source: WERC640.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: rRFQ_025261-97382.exe, 00000000.00000003.1428051889.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rRFQ_025261-97382.exe, 00000000.00000003.1422045873.00000000041F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rRFQ_025261-97382.exe, 00000000.00000003.1428051889.0000000004080000.00000004.00001000.00020000.00000000.sdmp, rRFQ_025261-97382.exe, 00000000.00000003.1422045873.00000000041F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbG source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb66\|I(L source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC640.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC640.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb2 source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb\| source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdbMZ source: WERC640.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbp source: WERC640.tmp.dmp.5.dr
Source:	Binary string: @Ho.pdb source: RegSvcs.exe, 00000002.00000002.1560291731.0000000000997000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERC640.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC640.tmp.dmp.5.dr

Source: rRFQ_025261-97382.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rRFQ_025261-97382.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rRFQ_025261-97382.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rRFQ_025261-97382.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rRFQ_025261-97382.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00230A76 push ecx; ret		0_2_00230A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011824B9 push 8BFFFFFFh; retf		2_2_011824BF

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0022F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0022F98E
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002A1C41

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95628

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

API/Special instruction interceptor: Address: 1793234

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0027DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0027DBBE
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0024C2A2 FindFirstFileExW,	0_2_0024C2A2
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002868EE FindFirstFileW,FindClose,	0_2_002868EE
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0028698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0028698F
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0027D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0027D076
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0027D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0027D3A9
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00289642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00289642
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0028979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028979D
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00289B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00289B2B
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00285C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00285C97

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000002.00000002.1560548128.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0028EAA2 BlockInput,

0_2_0028EAA2

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00242622

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00234CE8 mov eax, dword ptr fs:[00000030h]

0_2_00234CE8

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00270B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00270B62

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00242622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00242622
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_0023083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0023083F
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_002309D5 SetUnhandledExceptionFilter,	0_2_002309D5
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00230C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00230C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

0_2_00271201

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00252BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00252BA5

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0027B226 SendInput,keybd_event,

0_2_0027B226

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002922DA

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rRFQ_025261-97382.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

0_2_00270B62

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00271663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00271663

Source: rRFQ_025261-97382.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rRFQ_025261-97382.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00230698 cpuid

0_2_00230698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_00288195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00288195

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0026D27A GetUserNameW,

0_2_0026D27A

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_0024B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0024B952

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe

Code function: 0_2_002142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR

Source: rRFQ_025261-97382.exe	Binary or memory string: WIN_81
Source: rRFQ_025261-97382.exe	Binary or memory string: WIN_XP
Source: rRFQ_025261-97382.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: rRFQ_025261-97382.exe	Binary or memory string: WIN_XPe
Source: rRFQ_025261-97382.exe	Binary or memory string: WIN_VISTA
Source: rRFQ_025261-97382.exe	Binary or memory string: WIN_7
Source: rRFQ_025261-97382.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rRFQ_025261-97382.exe.4020000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rRFQ_025261-97382.exe PID: 6052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1612, type: MEMORYSTR

Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00291204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00291204
Source: C:\Users\user\Desktop\rRFQ_025261-97382.exe	Code function: 0_2_00291806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00291806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	2 Valid Accounts	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rRFQ_025261-97382.exe	61%	ReversingLabs	Win32.Spyware.Snakekeylogger
rRFQ_025261-97382.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	158.101.44.242	true	false		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.1561069450.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1561069450.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.1561069450.0000000002C05000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	rRFQ_025261-97382.exe, 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	rRFQ_025261-97382.exe, 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480058
Start date and time:	2024-07-24 14:39:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rRFQ_025261-97382.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/9@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 43 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 1612 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: rRFQ_025261-97382.exe

Simulations

Behavior and APIs

Time	Type	Description
08:40:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Bank Slip.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	NATV0980090004.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	swift copy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Purchase Order.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	132.226.247.73
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Purchase Order POT-247110.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Confirmation transfer Copy AGS # 24-00379.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SMLCHtAAMK.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	KQtHehIECg.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	94.156.8.9-skid.x86-2024-07-23T17_40_07.elf	Get hash	malicious	Mirai, Moobot	Browse	129.213.65.188
	Bank Slip.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_5bfa5ea0315cdaca1a7b99df22c7fbd6fc2a1cb_d4dab669_9df69206-636c-4235-adee-284acc9437f2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0965055388330214
Encrypted:	false
SSDEEP:	192:NhmLk8Q6AjT0BU/Sa6ce36izuiFaZ24IO8Gu:SJQ6AjABU/SarVizuiFaY4IO8G
MD5:	003C39E0551B56E1E958749CC9007FD1
SHA1:	A752FC3C44BB63639D3203984580C78BEEAA6204
SHA-256:	B6288B5C675F21EEDB2611EA057E55B2A10C21048EF9306A4F4A45868D2250B0
SHA-512:	3E3E8928307F0E49DA34F337CC57206DD9FBE229D1F9B02CE38227E9E3F2BAFD711EFFFF1ABB3A7AA44F482CFD08B66685E636AD3DB2B38EE6E781D6488D4B15
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.2.9.8.4.1.8.4.4.2.0.7.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.2.9.8.4.1.9.2.5.4.5.5.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.f.6.9.2.0.6.-.6.3.6.c.-.4.2.3.5.-.a.d.e.e.-.2.8.4.a.c.c.9.4.3.7.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.5.b.1.3.c.f.-.1.6.6.3.-.4.7.a.b.-.9.c.3.3.-.1.1.6.2.6.4.8.e.9.8.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.4.-.b.b.c.a.-.d.8.9.e.c.6.d.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC640.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 12:40:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	255478
Entropy (8bit):	3.8084381345476435
Encrypted:	false
SSDEEP:	3072:C3RCAgsD1bUHIYir6Hyfe4uEqK4Qpn0oLTgwYYWL:C3RCAgs5+IZrSyfe4sWNTgwY
MD5:	A481736936E36663111B487860743037
SHA1:	5C34F242F93D623C4332F26166F3ACD75AF0CDD5
SHA-256:	C20D4D0A012ABD6B688EA00CA6896997438B12FFC7233DD0B6FE7F71DCEA770B
SHA-512:	A651E216F742D3ADD4DD2630FB6435AC9B7F9A5B7A7A7F8A5F18CDD2C76972C1FB5712A1FDDBF5FFF0F39A1055C46E8EB0E87C0D393B8C4AEEE833A932C132E2
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......2..f....................................<....#.......$.."M..........`.......8...........T............:..............#...........%..............................................................................eJ......P&......GenuineIntel............T.......L...)..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC799.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6308
Entropy (8bit):	3.7231516001495066
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbwOA6GvY64xuQE/Cqo5aM4UB89bBXsfirm:R6l7wVeJwOA6uY640YprB89bBXsfirm
MD5:	59A082B52F5975C409AE7E29CBB22400
SHA1:	EDE019A950A3AD10DC6C0E1FBBDDBEB3478E0156
SHA-256:	AE948C38B51964229A4D2ED439AFA989C1029FBCE6785352F2ECE2500A6BFFAA
SHA-512:	DC099567DEBB66F55C223D08593390B2FEF62EC015E0141469CB534B2E95FE421BEF37BEBA9299FFC89A3E61761C98D973007C8C0509CF2A20E342ED5E922C8B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7B9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4651
Entropy (8bit):	4.477307362304682
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg77aI9WhWpW8VYJYm8M4JZjF3+q8APMmDI7d:uIjfoI7Iw7VBJLSmDI7d
MD5:	6CBF45E8240686C52EF579E0B2695751
SHA1:	CDA19199A42CE0EF9D91CF688A61C92F914B0407
SHA-256:	7D83E791CF260FFE9C0F88B2DA3F68EE564A73E2408EC2C530B55E82B58D1D4D
SHA-512:	9B2AAA95CD1857BA31D6AF731EDE97F70C6F7361739301963647BBADD0640A284CEA228061A01B63821DA68A62D799481C22549C1FE6ED90D1DBF557F4A32372
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\autA153.tmp

Download File

Process:	C:\Users\user\Desktop\rRFQ_025261-97382.exe
File Type:	data
Category:	dropped
Size (bytes):	83638
Entropy (8bit):	7.881535188691752
Encrypted:	false
SSDEEP:	1536:ryTHZvCaiOz/Q2kUUNRhzrwby18K1V0VdDrfdatjdi1x+um3VRoOj3lUFOWeR:OTHfxrclLzrwby1RinDbgjdiPMR36oR
MD5:	4340A4D0F79812276B23957E04F033A0
SHA1:	46D5603A1FD2D18024B0D773D9397EAD19EAE59F
SHA-256:	2E81B9776F5012E6952B0D533325D042214921B06219D779F0D3CC5993ED4BD1
SHA-512:	40FFC7CA1059675993860304230CC2E80DB3B74E515D215C01AB5D8048F998CBB26C181980FDC1732298797054C800A7F973BE526AB41BB0AEDB5A7351CB2F74
Malicious:	false
Reputation:	low
Preview:	EA06.....G.u...cS....>v.E..........i..,..;5.....R...l..B.D..K......f....UT.M+q...S>.Qm...NE .DgR.<R.b.I.Uy..w<..@..c..f....\|.Q%..Z...T).&7E..i.....Z..U..?.z..q......EF.G..Ff..5.E&.3..Tb.C..itY.B.&..h.9.`.....N.d.:.H.9.Rh....w...P.!_..w.g.P. ...X.4...Wc..t....UtTJ=@.p...U........{..:.....0..k@.......Ef....k5..t.,...........C..M\|.:.V..Q..j....{..&u:...b.R0.......(..E(.S`...Z..r...U.....J.D.Qg4...N.....f&.`....pI......i...\.p.........8N...X..e.+..1O..s;...3.Uc.....P..i4.,.Gv.Lk<Z-B.5........`..1..]......tZoB.1.S....[.'..h..d".K...z...E.^...U..3.W.......M....f.U.lk@M...;.Qfuk......hs.W....G%..l..C..3.&.e.......n....N.C...v..X....o6y...1.X(..u_m%../V.}t...c.9mN.P....=6.U.Mo.[m:........r.S...:..I..q..!x.Li..,f.U....:.....EoP....D.T)3.U"q...&uy...(.Gh..].m1..{.....I..5Y...[../3.E............T.h..u.I1...9...K..j.....m.P.{j.BgP..&R.(.A3.S..:...8Qh...Q..U@..H....R...l.....j....KE../...F.:..~....W...-.{.gK.s.P..F}..~,t.\|F.V...F.,.g..8/.h..D...l..J]..p-..LL...

C:\Users\user\AppData\Local\Temp\autA193.tmp

Download File

Process:	C:\Users\user\Desktop\rRFQ_025261-97382.exe
File Type:	data
Category:	dropped
Size (bytes):	9754
Entropy (8bit):	7.631862102065648
Encrypted:	false
SSDEEP:	192:CZIUd0cGw1zWEtGbIn+XmqvCYlDU8UdOFAf4+nI8eiE59zRxx6XQZn:Yd0bWWEtiq+X/CDDhI85q9LPZn
MD5:	A8C95873ABF8CD49CD10B84295FAD655
SHA1:	68F92E917BC956A2BD8707DE9C025D6EDEA9162D
SHA-256:	85C06AA62F6FF2618F9982AC34A5E3F47A5C0BAF22D01E75B7779218913F6D16
SHA-512:	10B6F5B22DE68AA6F97937BA8042CA9D3271FA1FE5AF1EEBE8B8B63E5C5004FB4E93197E2F6B5B33FF38ECEA0F0BF756BA1973A9EA67F4DFBD96703863C2B5F0
Malicious:	false
Reputation:	low
Preview:	EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........\|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3\|vY..G.6.Yf.8_..oe..i\|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

C:\Users\user\AppData\Local\Temp\brontothere

Download File

Process:	C:\Users\user\Desktop\rRFQ_025261-97382.exe
File Type:	data
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	6.8949828842713865
Encrypted:	false
SSDEEP:	3072:KWFA6MFF5qH90i56MlgjvKa1QKUMJzedd9TMcM1qc5Xz:RFADFF5qH90LWgWa1QTM1ez9T6
MD5:	6554FC1949F4BBF4FC79366BF791CAC3
SHA1:	1EB026651C78CFD541B5DAA1177C3A0EA10D0704
SHA-256:	2D24F44B70D113AA3CCDAB1A15BEE1E4FD4EB0F1139DFD030B20FE751C4630AC
SHA-512:	F268B380A1E8B01866A8A1CF229ED2B333B19D8A791FDAB8E5297052B18E29404FEB9F880AFB75ABF5E538CE77C545A5E62513621A314D44B42F3C8028332714
Malicious:	false
Reputation:	low
Preview:	...PV61SAGPC.KE.PU61SEG.C1HKE3PU61SEGPC1HKE3PU61SEGPC1HKE3P.61SKX.M1.B...Tz.r./90.89T"4[.0$)>,Eh) ." X.:+g..bh&W5{;<YaGPC1HKEc.U6}RFG\|&D.KE3PU61S.GRB:I.E3.T61GEGPC1H.T1PU.1SEgRC1H.E3pU61QEGTC1HKE3PQ61SEGPC1(IE3RU61SEGRCq.KE#PU&1SEG@C1XKE3PU6!SEGPC1HKE3PQ'3S.GPC1hIE.@U61SEGPC1HKE3PU61SE.RC=HKE3PU61SEGPC1HKE3PU61SEGPC1HKE3PU61SEGPC1HKE3PU61SEgPC9HKE3PU61SEGXc1H.E3PU61SEGPC.<.=GPU6U.DGPc1HK.2PU41SEGPC1HKE3PU6.SE'~1B:(E3P.&1SEgRC1ZKE3.T61SEGPC1HKE3P.61.k55/^+KE?PU61.GGPA1HKC1PU61SEGPC1HKEsPUt1SEGPC1HKE3PU61S.VRC1HKE{PU63S@Ghb0H..3PV61S.GPE.hJE.PU61SEGPC1HKE3PU61SEGPC1HKE3PU61SEGPC1HKE3P.K.\...*B.E3PU61RGDTE9@KE3PU61S;GPCwHKEsPU6.SEGuC1H&E3Pq61S;GPCOHKEWPU6CSEG1C1H.E3P:61S+GPCOHKE-R}.1SOmvC3`jE3ZU.. gGPI.IKE7#v61Y.EPC5;oE3Z.51SA4uC1B.A3PQE.SEM.F1HOoiPV.'UEGK,.HKO3S.#7SE\ze1Jc.3P_6.uED.V7HK^.rU4.ZEGTig;VE3V}u1SO3YC1J.O3PQ./Qm.PC;bi;#PU2.Soe.R1HOn3zwH#SEC{C.j5V3PQ.1yg9DC1L`E.NW.%SECzaO]KE7{U..-SGPG.HagMGU65xEmNA._KE7zS.SS7~LCAK$.3PS..SEMx.1HME.jUH.SECR,.HKO.z.63{DFPI1JH8.PU23W8pPC5b.E1+l6

C:\Users\user\AppData\Local\Temp\trickstress

Download File

Process:	C:\Users\user\Desktop\rRFQ_025261-97382.exe
File Type:	FGDC-STD-001-1998
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.579851443075277
Encrypted:	false
SSDEEP:	384:gAQKy7bFwQ4/6BmsM6IYj8R250duB0o6RcL02TqOIdsVHfGbLph1juTJOtHtiP:PQKM1GsMMIA8Yo2TMdshGbLph1jXtAP
MD5:	8EB9A502182198B77CC89D78F6AEEE02
SHA1:	3AEFCD22FEF347A420BA4669F8D6D1334FC6E99D
SHA-256:	BB8F88159FE410CCF309A0879A61ABFEBACEDA6A4035288190041A2E061ED7C8
SHA-512:	EA4DF30850F1BF21409B274A0F62E9D4388B2D81D4903FF15E2E5CD025F8C846BFC2554E39046A2D61CC92A74BFF2DB034D3B6A936D0697D151B2B91E7CD9B7A
Malicious:	false
Reputation:	low
Preview:	2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372998192904953
Encrypted:	false
SSDEEP:	6144:JFVfpi6ceLP/9skLmb0VyWWSPtaJG8nAge35OlMMhA2AX4WABlguNWiL:fV1LyWWI/glMM6kF7Yq
MD5:	6FC3F61A4C1100826FFF56663AEA714B
SHA1:	2F651DADAC232E31D9305AD07339E5BB1DB094FA
SHA-256:	2CBCCD4835B8D742929C8E9E270D92A084B8269CDABD5550AAA3B1EB9E4DA9F7
SHA-512:	5A38DC0AF7FC67B08EE2BDCA7F1D51AE76C209A71164AB98BA95C4BF1DFA436EBC5FD7D28513ECC490EADA2D827F495B39B303C9E8C1976425B38072FBC15026
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~...................................................................................................................................................................................................................................................................................................................................................{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.53527047834096
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rRFQ_025261-97382.exe
File size:	1'230'336 bytes
MD5:	508128551f3b5bd0b8aa67778787192b
SHA1:	20109fb53468184a37748f5a5a9e8e6604768822
SHA256:	28598b988b1838de1db1d09ee5e7ef40353622ac2532259137dc8199697dba37
SHA512:	c94100c9752e9ec5f899ffeff827d0f2827146658392e3b7da9c1abc50cc0f0b3b1f03f88f7418ef1c96d2eaf8653efdd585e0e1b236854575e87416dbb0fc14
SSDEEP:	24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8a+APYrm:cTvC/MTQYxsWR7a+AA
TLSH:	D245AF0373819062FF9B92334B67E6554B7D6E2A4133A91F139C397ABA70172123E763
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	98e2a3b29b9ba181

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x669E5A7E [Mon Jul 22 13:11:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE8B0BF4253h
jmp 00007FE8B0BF3B5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE8B0BF3D3Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE8B0BF3D0Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE8B0BF68FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE8B0BF6948h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE8B0BF6931h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x55a44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x55a44	0x55c00	2b99d63104834ae7c2a5b80f1195caa1	False	0.46053890306122447	data	5.50806043617119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4350	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4478	0x33428	Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/m	English	Great Britain	0.13495903981710802
RT_STRING	0x1078a0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0x107e34	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0x1084c0	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0x108950	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0x108f4c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0x1095a8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0x109a10	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0x109b68	0x1f9e8	data			1.0003551794428316
RT_GROUP_ICON	0x129550	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x129564	0x14	data	English	Great Britain	1.15
RT_VERSION	0x129578	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x129654	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 14:40:11.819873095 CEST	49704	80	192.168.2.8	158.101.44.242
Jul 24, 2024 14:40:11.824839115 CEST	80	49704	158.101.44.242	192.168.2.8
Jul 24, 2024 14:40:11.824914932 CEST	49704	80	192.168.2.8	158.101.44.242
Jul 24, 2024 14:40:11.825181007 CEST	49704	80	192.168.2.8	158.101.44.242
Jul 24, 2024 14:40:11.830095053 CEST	80	49704	158.101.44.242	192.168.2.8
Jul 24, 2024 14:40:18.764641047 CEST	80	49704	158.101.44.242	192.168.2.8
Jul 24, 2024 14:40:18.806927919 CEST	49704	80	192.168.2.8	158.101.44.242
Jul 24, 2024 14:40:24.820224047 CEST	49704	80	192.168.2.8	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 14:40:11.805562019 CEST	54040	53	192.168.2.8	1.1.1.1
Jul 24, 2024 14:40:11.813677073 CEST	53	54040	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 14:40:11.805562019 CEST	192.168.2.8	1.1.1.1	0x7e98	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 14:40:11.813677073 CEST	1.1.1.1	192.168.2.8	0x7e98	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 14:40:11.813677073 CEST	1.1.1.1	192.168.2.8	0x7e98	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:40:11.813677073 CEST	1.1.1.1	192.168.2.8	0x7e98	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:40:11.813677073 CEST	1.1.1.1	192.168.2.8	0x7e98	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:40:11.813677073 CEST	1.1.1.1	192.168.2.8	0x7e98	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 24, 2024 14:40:11.813677073 CEST	1.1.1.1	192.168.2.8	0x7e98	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	158.101.44.242	80	1612	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 14:40:11.825181007 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 24, 2024 14:40:18.764641047 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Wed, 24 Jul 2024 12:40:18 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 3b4f969697d8b7b5e1d2399b5f5d21e9 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	08:40:08
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\rRFQ_025261-97382.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rRFQ_025261-97382.exe"
Imagebase:	0x210000
File size:	1'230'336 bytes
MD5 hash:	508128551F3B5BD0B8AA67778787192B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1431825034.0000000004020000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:40:09
Start date:	24/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rRFQ_025261-97382.exe"
Imagebase:	0x800000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1560230703.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1561069450.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:40:18
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1484
Imagebase:	0x230000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	56

Executed Functions

Function 002142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0021430D

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

GetCurrentProcess.KERNEL32(?,002ACB64,00000000,?,?), ref: 00214422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00214429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00214454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00214466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00214474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0021447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002144A0

Strings

kernel32.dll, xrefs: 0021444F
GetNativeSystemInfo, xrefs: 00214460
|O, xrefs: 002536F8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8bff81ab9414dd8875c4cf462b3f75a2591af8c6a2b7923b04f446a2dd2a0be3
Instruction ID: 68e9de9a00776e5683bff418f55ec1745a0901f8ad5a6a8aa30c3b74dcd6255e
Opcode Fuzzy Hash: 8bff81ab9414dd8875c4cf462b3f75a2591af8c6a2b7923b04f446a2dd2a0be3
Instruction Fuzzy Hash: 34A103729AA2C0CFCB11DB697CCC1D87FE46B36740B1858F8E4459BA62D27049B8CB35

Function 002142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002150AA,?,?,00000000,00000000), ref: 002142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002150AA,?,?,00000000,00000000), ref: 002142C9
LoadResource.KERNEL32(?,00000000,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20), ref: 002535BE
SizeofResource.KERNEL32(?,00000000,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20), ref: 002535D3
LockResource.KERNEL32(002150AA,?,?,002150AA,?,?,00000000,00000000,?,?,?,?,?,?,00214F20,?), ref: 002535E6

Strings

SCRIPT, xrefs: 002142BF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3c3a007a9d82a40ae2ecdb9468dd287d658f4ff1312721fb95e47641610dff6a
Instruction ID: 4c6772e0a01112904648ddf7c5ed991810e88c3e49dd5a0d78ceed3861e3b646
Opcode Fuzzy Hash: 3c3a007a9d82a40ae2ecdb9468dd287d658f4ff1312721fb95e47641610dff6a
Instruction Fuzzy Hash: E1117C70210701BFE7219F65EC48F677BBAEBD6B51F20416AB80696250DF72D8508620

Function 00252BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00212B6B

Part of subcall function 00213A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1418,?,00212E7F,?,?,?,00000000), ref: 00213A78

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002D2224), ref: 00252C10
ShellExecuteW.SHELL32(00000000,?,?,002D2224), ref: 00252C17

Strings

runas, xrefs: 00252C0B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: afc5d68c8cb32dc46ae726d543b96e389b257685a783ab3026d664a893858d45
Instruction ID: 74a5920e7b16435ce212562375f0048da29b7add1e8c207240f1e22e3f4fc463
Opcode Fuzzy Hash: afc5d68c8cb32dc46ae726d543b96e389b257685a783ab3026d664a893858d45
Instruction Fuzzy Hash: 8511D2312283459AC704FF20E855AEEB7E99BB6314F44042EB182121A2CF709AFD8B52

Function 0027DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00255222), ref: 0027DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0027DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0027DBEE
FindClose.KERNEL32(00000000), ref: 0027DBFA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d50cf9d9a4fe128cbc04b4fa34061f538d8182da2342d906374d3719878cfdbe
Instruction ID: 6a4f542907c364cb615c4039386603e1615a41298cb9ea2bdbac143ecb656bf0
Opcode Fuzzy Hash: d50cf9d9a4fe128cbc04b4fa34061f538d8182da2342d906374d3719878cfdbe
Instruction Fuzzy Hash: 45F0E5308209105782216F7CBC0D8AA37BC9E02334BA0870BF83AC20F0EFB05D64C6D5

Function 0021BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#., xrefs: 002607CE

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#.
API String ID: 3964851224-3385838572
Opcode ID: 9c1bfb76a1499a41f29cb48d80fe4cd1dc01ea17276ecd3cad3403c0e4ccfac4
Instruction ID: d3eed617f1dad90ca229d7e4e65ad672f0cec6183a3d5deab3b21966c7fa4ca7
Opcode Fuzzy Hash: 9c1bfb76a1499a41f29cb48d80fe4cd1dc01ea17276ecd3cad3403c0e4ccfac4
Instruction Fuzzy Hash: 71A279746283419FD714CF24C480B6AB7E1BF99304F24896DE89A8B352D771ECA5CF92

Function 0021D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0021D807
timeGetTime.WINMM ref: 0021DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB28
TranslateMessage.USER32(?), ref: 0021DB7B
DispatchMessageW.USER32(?), ref: 0021DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021DB9F
Sleep.KERNEL32(0000000A), ref: 0021DBB1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 05149ca1911b3b65b704587fd1e2df8523fb1c291dfc128de0c29f9c4166ae2a
Instruction ID: a206443a3d4ab2e7828e1aaf01771210fd04037baf12e35386840df738cda6ca
Opcode Fuzzy Hash: 05149ca1911b3b65b704587fd1e2df8523fb1c291dfc128de0c29f9c4166ae2a
Instruction Fuzzy Hash: 4B42F430628742DFD729CF24C888BAAB7E4BF55304F14455DE4968B291D7B4E8E8CF92

Function 00212CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00212D07
RegisterClassExW.USER32(00000030), ref: 00212D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00212D42
InitCommonControlsEx.COMCTL32(?), ref: 00212D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00212D6F
LoadIconW.USER32(000000A9), ref: 00212D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00212D94

Strings

AutoIt v3 GUI, xrefs: 00212D23
+, xrefs: 00212CF0
TaskbarCreated, xrefs: 00212D37
0, xrefs: 00212CE9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 24a3af4d6f0f9da16408cfe15e6fdc7eec3952081f5bd4802dc2bcbca6a7b1a9
Instruction ID: 5823bec68cf755554668ad8dc071430e82fff3e1ff8f9d91a4fc792db9fcca21
Opcode Fuzzy Hash: 24a3af4d6f0f9da16408cfe15e6fdc7eec3952081f5bd4802dc2bcbca6a7b1a9
Instruction Fuzzy Hash: C421B4B5951258AFDB00DFA4FC89BDDBBB8FB09700F10412AE511AA2A0DBB545548F91

Function 00248D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.#, xrefs: 0024903A, 00248FD0, 00248FF2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: .#
API String ID: 0-197210044
Opcode ID: e9744b3177d868e985a99c8b15a5d3626508b02ae0c982ee0073dd1ea1602919
Instruction ID: 84d275f23f04297cff4e112efcc1bb86661948abcfe6574703031cb7e518a98c
Opcode Fuzzy Hash: e9744b3177d868e985a99c8b15a5d3626508b02ae0c982ee0073dd1ea1602919
Instruction Fuzzy Hash: A3C10874D24249DFDF19DFA8D885BAEBBB0AF09310F144195F814AB392CB7089A1CF61

Function 0025065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025039A: CreateFileW.KERNELBASE(00000000,00000000,?,00250704,?,?,00000000,?,00250704,00000000,0000000C), ref: 002503B7

GetLastError.KERNEL32 ref: 0025076F
__dosmaperr.LIBCMT ref: 00250776
GetFileType.KERNELBASE(00000000), ref: 00250782
GetLastError.KERNEL32 ref: 0025078C
__dosmaperr.LIBCMT ref: 00250795
CloseHandle.KERNEL32(00000000), ref: 002507B5
CloseHandle.KERNEL32(?), ref: 002508FF
GetLastError.KERNEL32 ref: 00250931
__dosmaperr.LIBCMT ref: 00250938

Strings

H, xrefs: 002508BD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2a0e1a1ecbbe2bf190547002b9d1cdd371920f28310cb10ee78ac247e6450a24
Instruction ID: 136cc8579d319c3c2704e33a553655abfc9a2bcdab72d88c5a02bbb4b61934fa
Opcode Fuzzy Hash: 2a0e1a1ecbbe2bf190547002b9d1cdd371920f28310cb10ee78ac247e6450a24
Instruction Fuzzy Hash: 73A15732A201058FDF19AF68ECD5BAE7BA0AB06321F140159FC159F391CB309C27CB95

Function 0021344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00213A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E1418,?,00212E7F,?,?,?,00000000), ref: 00213A78

Part of subcall function 00213357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00213379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0021356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0025318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002531CE
RegCloseKey.ADVAPI32(?), ref: 00253210
_wcslen.LIBCMT ref: 00253277
_wcslen.LIBCMT ref: 00253286

Strings

Include, xrefs: 00253184, 002531C5
Software\AutoIt v3\AutoIt, xrefs: 00213560
\, xrefs: 0025328C
\Include\, xrefs: 00213527

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1167906c5450efdd327d2ddda8c4dae3e47d02a5ed963c0bdf0d779c4bfd51b0
Instruction ID: 44921d6cc36a0688bde9f6072997bca40cfc4684e654de199ecbc8b724ecdc79
Opcode Fuzzy Hash: 1167906c5450efdd327d2ddda8c4dae3e47d02a5ed963c0bdf0d779c4bfd51b0
Instruction Fuzzy Hash: 03717C71464341DEC314EF65EC869ABBBE8FF95340F40046EF94697160EB709A98CFA1

Function 00212B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00212B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00212B9D
LoadIconW.USER32(00000063), ref: 00212BB3
LoadIconW.USER32(000000A4), ref: 00212BC5
LoadIconW.USER32(000000A2), ref: 00212BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00212BEF
RegisterClassExW.USER32(?), ref: 00212C40

Part of subcall function 00212CD4: GetSysColorBrush.USER32(0000000F), ref: 00212D07
Part of subcall function 00212CD4: RegisterClassExW.USER32(00000030), ref: 00212D31
Part of subcall function 00212CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00212D42
Part of subcall function 00212CD4: InitCommonControlsEx.COMCTL32(?), ref: 00212D5F
Part of subcall function 00212CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00212D6F
Part of subcall function 00212CD4: LoadIconW.USER32(000000A9), ref: 00212D85
Part of subcall function 00212CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00212D94

Strings

AutoIt v3, xrefs: 00212C2F
0, xrefs: 00212C0F
#, xrefs: 00212C16

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 387310914000a3554992066173608bf09ce5dbba6a35befa13b671e4a6694a63
Instruction ID: 22a79f6a61331cee4103f334d4b4d8cc9e728f7cded628fd2b947214ff8bbf1b
Opcode Fuzzy Hash: 387310914000a3554992066173608bf09ce5dbba6a35befa13b671e4a6694a63
Instruction Fuzzy Hash: 0E210C75E90354ABDB109F95FC9DAADBFB4FB48B50F1000AAE500AA6A0D7B11560CF90

Function 0021B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021BB4E

Strings

p#., xrefs: 0021BB6B
p%., xrefs: 0021BB32
p#., xrefs: 0021BA72
x#., xrefs: 00260207
p#., xrefs: 0026024F
p#., xrefs: 00260263
x#., xrefs: 00260168
p%., xrefs: 0021B8DC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#.$p#.$p#.$p#.$p%.$p%.$x#.$x#.
API String ID: 1385522511-553131232
Opcode ID: 37ca03392d2676557315c7d4a766524b77f5009a6d2b4e93db6745e9796e31d7
Instruction ID: 9c2eced1087439aa04d1dcf425edf01286cea40e6f6c3352e78354fa2a5873a7
Opcode Fuzzy Hash: 37ca03392d2676557315c7d4a766524b77f5009a6d2b4e93db6745e9796e31d7
Instruction Fuzzy Hash: 8C32CF34A2020ADFDB15CF54C894ABEB7F9EF54304F148099E906AB291C7B4ADE1DF91

Function 00213170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0021316A,?,?), ref: 002131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0021316A,?,?), ref: 00213204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00213227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0021316A,?,?), ref: 00213232
CreatePopupMenu.USER32 ref: 00213246
PostQuitMessage.USER32(00000000), ref: 00213267

Strings

TaskbarCreated, xrefs: 0021322D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5e3ef98de3085ac8729d732491333de7cf840dff26f4cf12707f9bffdc3ac9d9
Instruction ID: 583b74827b2b6ab0e39cb760329395792c70764ff370d0d7a9a71e6593739b5d
Opcode Fuzzy Hash: 5e3ef98de3085ac8729d732491333de7cf840dff26f4cf12707f9bffdc3ac9d9
Instruction Fuzzy Hash: D04118312B0245A7DB15AF78AC4DBF936DAE726340F140135F906852E1CBB19EF49BA1

Function 0021DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%., xrefs: 0021E1E0
D%.D%., xrefs: 0021E27E
D%., xrefs: 0021E4B1
Variable must be of type 'Object'., xrefs: 002632B7
D%., xrefs: 0026302D
D%., xrefs: 00262FDA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: D%.$D%.$D%.$D%.$D%.D%.$Variable must be of type 'Object'.
API String ID: 0-516259185
Opcode ID: 8ff0d1686bbdf28ac9c0c282735bce68ed7568167db3b9685330af9b208c18fd
Instruction ID: 0277919ffbe1eb00db7207ea12a99654a97a59d9d218416e877d2800cdeefa62
Opcode Fuzzy Hash: 8ff0d1686bbdf28ac9c0c282735bce68ed7568167db3b9685330af9b208c18fd
Instruction Fuzzy Hash: 65C27D71A20215DFCF14CF58D880AADB7F1BF28310F258169ED16AB291D375EDA1CB91

Function 00212C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00212C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00212CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00211CAD,?), ref: 00212CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00211CAD,?), ref: 00212CCF

Strings

edit, xrefs: 00212CAC
AutoIt v3, xrefs: 00212C89, 00212C8E, 00212C8F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: be5c15d4343972d6f7f5d2a026ab279b493098584cd8e405c86a37ed04497b8a
Instruction ID: 0515c94cba2769057f4efad9c8dae9e3b6ff773fb6c8cca9fae3f403127e53d2
Opcode Fuzzy Hash: be5c15d4343972d6f7f5d2a026ab279b493098584cd8e405c86a37ed04497b8a
Instruction Fuzzy Hash: 31F0DA755802D07BEB311717BC8CE776FBDD7C7F50B1000AAF900AA5A0C6711861DAB0

Function 00282947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282C05
DeleteFileW.KERNEL32(?), ref: 00282C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00282C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00282CC0

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a09ae5d8be114dbde00ba757a37fed7b1a31a2e74dff01c2f64879052630114f
Instruction ID: e47a6aa49e7a5a916af32d1ccc4aabd7bc380b7c01c29b7b6053d96f05de4d0e
Opcode Fuzzy Hash: a09ae5d8be114dbde00ba757a37fed7b1a31a2e74dff01c2f64879052630114f
Instruction Fuzzy Hash: AFB170B1D21129EBDF15EFA4CC85EDEB7BDEF49310F1040A6F509E6181EA319A588F60

Function 00245AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO!, xrefs: 00245BA8, 00245C6C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: JO!
API String ID: 0-3116667536
Opcode ID: 3d874f82bf57cb7cebc9cac489df768c0afe6e47bcfc19f2088db2f10080f813
Instruction ID: 3416695e58f034b95e0c1adc1dada47f00f231f83e3bddcc9f56afcb170b3322
Opcode Fuzzy Hash: 3d874f82bf57cb7cebc9cac489df768c0afe6e47bcfc19f2088db2f10080f813
Instruction Fuzzy Hash: 4151E4B1D3062ADFCB189FA4D985FAEBBB4EF05314F14005AF445AB293D6708921CB61

Function 00213B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00213B0F,SwapMouseButtons,00000004,?), ref: 00213B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00213B0F,SwapMouseButtons,00000004,?), ref: 00213B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00213B0F,SwapMouseButtons,00000004,?), ref: 00213B83

Strings

Control Panel\Mouse, xrefs: 00213B3E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc28918cf4dbf8bcebf709989fae1f49deb6b7d1613504cbcce4a49d33dfd76a
Instruction ID: 63d65937bec4ac696d65e6d35c5ce4df387746fdf52b08e9acf0c0de9932a7ee
Opcode Fuzzy Hash: fc28918cf4dbf8bcebf709989fae1f49deb6b7d1613504cbcce4a49d33dfd76a
Instruction Fuzzy Hash: 04115AB1524209FFDB20CFA4DC48AEFB7F9EF11748B104469A805D7210E6319F949760

Function 00212DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00252C8C

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 00212DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00212DC4

Strings

X, xrefs: 00252C5A
`e-, xrefs: 00252C85

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e-
API String ID: 779396738-4103291849
Opcode ID: 54abb68aaba519649c14ae3e3b646b693d2128993dc2e226e9098f71448a8f32
Instruction ID: 1e07cd88ba7b0adc5977d5da939ede8118732a9a7b16b4c745f60f474521c986
Opcode Fuzzy Hash: 54abb68aaba519649c14ae3e3b646b693d2128993dc2e226e9098f71448a8f32
Instruction Fuzzy Hash: 0A21D570A20298DFCB01EF94D849BEE7BF8AF59305F00405AE405B7241DBB49AAD8F61

Function 0022FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00230668

Part of subcall function 002332A4: RaiseException.KERNEL32(?,?,?,0023068A,?,002E1444,?,?,?,?,?,?,0023068A,00211129,002D8738,00211129), ref: 00233304

__CxxThrowException@8.LIBVCRUNTIME ref: 00230685

Strings

Unknown exception, xrefs: 00230692

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 73a0be61fc2b5bd5e46f34f5d6482102259d74231b1c0bd304565f8f71f13e80
Instruction ID: 3ffd39be4ae7ac3ef376eca598717b9e55711b0b404cca2784b28193419f5991
Opcode Fuzzy Hash: 73a0be61fc2b5bd5e46f34f5d6482102259d74231b1c0bd304565f8f71f13e80
Instruction Fuzzy Hash: F7F0AFA492020E77CB00BAA4E896C9E777C6E01310FA04571B92496595EF71EA758D90

Function 00283017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0028302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00283044

Strings

aut, xrefs: 00283038

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d8bf7a411720b6a0e60e7731bad573479d762e88bdbc6a8ad5c3434be97d8242
Instruction ID: dc14ae46a32994df9cbb2a79cf3e77575cda35fbcc5de6cebf33a46ba1a079be
Opcode Fuzzy Hash: d8bf7a411720b6a0e60e7731bad573479d762e88bdbc6a8ad5c3434be97d8242
Instruction Fuzzy Hash: 4FD05E7250032867DA20A7A4AD0EFCB3B6CDB06750F0002A2BA96E2091DEB09984CAD0

Function 00297F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002982F5
TerminateProcess.KERNEL32(00000000), ref: 002982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 002984DD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: eee327d534c487defbe0f7df400c306b2eadde3805b4034b83e87594660a5f89
Instruction ID: cbf05c7bc0ead59aee23163524c90436a9602a7132c507a9627497189e0e9d07
Opcode Fuzzy Hash: eee327d534c487defbe0f7df400c306b2eadde3805b4034b83e87594660a5f89
Instruction Fuzzy Hash: C3127C71A183419FCB14DF28C484B6ABBE5FF85314F18895DE8898B252CB31ED55CF92

Function 002110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00211BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00211BF4
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00211BFC
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00211C07
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00211C12
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00211C1A
Part of subcall function 00211BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00211C22

Part of subcall function 00211B4A: RegisterWindowMessageW.USER32(00000004,?,002112C4), ref: 00211BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0021136A
OleInitialize.OLE32 ref: 00211388
CloseHandle.KERNEL32(00000000,00000000), ref: 002524AB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2d870e849ed714087d71a641bd65b372da5076651f2fcd1e04c1e41e411dc161
Instruction ID: 72f124cb969b68c8d878e80284faf51f5e7100ccc51fa12bdbbbb25446a5c5fe
Opcode Fuzzy Hash: 2d870e849ed714087d71a641bd65b372da5076651f2fcd1e04c1e41e411dc161
Instruction Fuzzy Hash: 2F7180B49A13C18FD784DF7AB9C96A93AE4FB99344394413AD40ACB3A1EB3044B5CF51

Function 002154C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0021556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0021557D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: cd628c3ad2d990bee5eb8730a6e11642409526534c632a4e35e027934595a3ad
Instruction ID: 06ec8731183b494c749906c1f49d1b19e5c2b002adf054c42e345debf5706f4c
Opcode Fuzzy Hash: cd628c3ad2d990bee5eb8730a6e11642409526534c632a4e35e027934595a3ad
Instruction Fuzzy Hash: 1F314D71A1061AFFDB14CF28C880B99B7F6FB54314F148269E91597240D771FDA4CB90

Function 002486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002485CC,?,002D8CC8,0000000C), ref: 00248704
GetLastError.KERNEL32(?,002485CC,?,002D8CC8,0000000C), ref: 0024870E
__dosmaperr.LIBCMT ref: 00248739

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 877e8e73f19cacfde6eca087cc69cde6959f722039de1d3664405e2ce45a220a
Instruction ID: 2951c5aef96608812d10f05161ea9d973d640253f2745b4340211f5dbdd56c3e
Opcode Fuzzy Hash: 877e8e73f19cacfde6eca087cc69cde6959f722039de1d3664405e2ce45a220a
Instruction Fuzzy Hash: D8012B33A3567027D6AD6A346889B7E6B4D4B82774F3A0199F9188B1D3DEA0CCE18550

Function 00282FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00282CD4,?,?,?,00000004,00000001), ref: 00282FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00282CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00283006
CloseHandle.KERNEL32(00000000,?,00282CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0028300D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 90681d7f935209f8fb4982483fcee962312e13013caa69ddcfe6e5ccb3713872
Instruction ID: 3e967af9934055cec0e07381276692268d610e4ccb1702127c25ed61c8522551
Opcode Fuzzy Hash: 90681d7f935209f8fb4982483fcee962312e13013caa69ddcfe6e5ccb3713872
Instruction Fuzzy Hash: A9E0863638131077D6312755BC0DF8B3A1CD787F71F204211F719750D08EA0550143A8

Function 00221310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002217F6

Strings

CALL, xrefs: 002217C6

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 03eed7ae7cbbb81f425d14fa9fa85502620a0caf17a71e0c721cac1193b2c318
Instruction ID: b2c8e2e3669a21f9443cfc41d016cfc244b4f6a8ee6dd5c5cb3e6ddf07d7e77b
Opcode Fuzzy Hash: 03eed7ae7cbbb81f425d14fa9fa85502620a0caf17a71e0c721cac1193b2c318
Instruction Fuzzy Hash: 78229970628212AFC714DF54E484E2ABBF1AF95304F64896DF4868B361D771E8B1CF82

Function 00286EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00286F6B

Part of subcall function 00214ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00286F5A, 00286F63

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: eecfe4b0940d8a8dd55fb99ac87ee3c498547834ae2ba8826f44263831efe345
Instruction ID: 3b9d8dad527a2f6fcfb2d9759e30f790a5176837a53265bca3183264bb21d154
Opcode Fuzzy Hash: eecfe4b0940d8a8dd55fb99ac87ee3c498547834ae2ba8826f44263831efe345
Instruction Fuzzy Hash: 8FB196351292019FCB14FF24C4919AEB7E5BFA4300F14895DF89A972A1DB30EDA5CF91

Function 00282557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00282587

Strings

EA06, xrefs: 002825B9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 5f1ee84d82e688af6e5d3fc18653c58418e40688e06c22081e8d19b1fda34031
Instruction ID: ee3fbe731c0e5fd406c75a134bf2ac52718991bf469df410a4b011a7d2b64bcb
Opcode Fuzzy Hash: 5f1ee84d82e688af6e5d3fc18653c58418e40688e06c22081e8d19b1fda34031
Instruction Fuzzy Hash: A001B5B2954258BEDF28D7A8C856FAEBBF89B05301F00455AE592D21C1E5B8E6188B60

Function 0024C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00242D74: GetLastError.KERNEL32(?,?,00245686,00253CD6,?,00000000,?,00245B6A,?,?,?,?,?,0023E6D1,?,002D8A48), ref: 00242D78
Part of subcall function 00242D74: _free.LIBCMT ref: 00242DAB
Part of subcall function 00242D74: SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DEC
Part of subcall function 00242D74: _abort.LIBCMT ref: 00242DF2

Part of subcall function 0024CADA: _abort.LIBCMT ref: 0024CB0C
Part of subcall function 0024CADA: _free.LIBCMT ref: 0024CB40

Part of subcall function 0024C74F: GetOEMCP.KERNEL32(00000000), ref: 0024C77A

_free.LIBCMT ref: 0024CA33
_free.LIBCMT ref: 0024CA69

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 2baff2b3ddaaf2e3a629ff04651b65558bc1a963797305130a6f613b3c7ef63a
Instruction ID: c5c5c1b0abf97a95952e2f2467f34f0aaf41185f723a0fe0d1545246ae23ab93
Opcode Fuzzy Hash: 2baff2b3ddaaf2e3a629ff04651b65558bc1a963797305130a6f613b3c7ef63a
Instruction Fuzzy Hash: 8F31CF31911219AFDB58EFADD441AA9B7F5EF40324F31019AE8049B2A2EB719D60CF50

Function 00215745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0021949C,?,00008000), ref: 00215773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0021949C,?,00008000), ref: 00254052

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ddbf8440c241d97f99692ba3ccc239b01753d39a1e4fb38522a12910ddfb98e
Instruction ID: 50ca075b07c5dd43a86aeed5169755355b97c0cb95cbabd59c7470d9df10da8c
Opcode Fuzzy Hash: 2ddbf8440c241d97f99692ba3ccc239b01753d39a1e4fb38522a12910ddfb98e
Instruction Fuzzy Hash: FB018430255325F6E3311A25DC0EF97BF94DF42774F108200BA5C5A1E0CBB454A5CB90

Function 00214ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00214E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E9C
Part of subcall function 00214E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214EAE
Part of subcall function 00214E90: FreeLibrary.KERNEL32(00000000,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EFD

Part of subcall function 00214E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E62
Part of subcall function 00214E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214E74
Part of subcall function 00214E59: FreeLibrary.KERNEL32(00000000,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E87

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4098dc99764eadba985eaa2c7e94e9e66a7e2710f318b884688a56e199bcb752
Instruction ID: 60601c0bad47d4fcdeab0b26c271062d35323dfb2e89f5523c83089a4d7d3f15
Opcode Fuzzy Hash: 4098dc99764eadba985eaa2c7e94e9e66a7e2710f318b884688a56e199bcb752
Instruction Fuzzy Hash: 92110431630205ABCF10FF60D802BEE77E49F60715F20442AF446AA2C1DE749AA59B50

Function 00248402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00248440

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9b1e20d357f84c23ab3ec0187accd54887513bafd4253588253ead5b7e52d57e
Instruction ID: 167ca451bf2fd2b699cc7c70644c00b6d8462be1a6639173d1422cde69389a47
Opcode Fuzzy Hash: 9b1e20d357f84c23ab3ec0187accd54887513bafd4253588253ead5b7e52d57e
Instruction Fuzzy Hash: AB11187591410AAFCB09DF58E98199E7BF5EF48314F144059FC08AB312DA31EA21CBA5

Function 00219A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0021543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00219A9C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 861bcd340fe16764386f0d94fd2e577cc824c97fba6983545ab4ee3b98422613
Instruction ID: b17ac8ced45c24d09094d279ec54515440c0ad13e97c98617a6fa45d94895a37
Opcode Fuzzy Hash: 861bcd340fe16764386f0d94fd2e577cc824c97fba6983545ab4ee3b98422613
Instruction Fuzzy Hash: 08116A312147019FD7248F05C8A0BA2B7F8AF54350F10C42DE99B86650C7B1A899CB60

Function 0023E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9d218cd255104d0fb51b36a3b63983385fe35861ca83565b73faad6888678638
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 32F028B2530A14D7DF353E6A9C06B5B339C9F52335F12071AF920971D2CB70D8298EA5

Function 00243820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32d4f6a24b633776fa06f48f4e94b4a8e46a33ca6f6607cdce7cd02d738112c2
Instruction ID: 185ad9c37776bcef0ee58cd49e8f00a044a8b51f54b9963bd98912fdc0ff493f
Opcode Fuzzy Hash: 32d4f6a24b633776fa06f48f4e94b4a8e46a33ca6f6607cdce7cd02d738112c2
Instruction Fuzzy Hash: 36E02B3253022697D735BE77AC04B9BB74AAF427B0F150032BC1496490DB61ED3189E0

Function 00214F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214F6D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 7ee5f0f6859e16bd38e1548bc46d03f422f0e32ff23b9e9e0b19064fe9a683a4
Instruction ID: 4aa9761a5f0506d43a5ae5df6848478c1409a65839848d995dee946fe344f535
Opcode Fuzzy Hash: 7ee5f0f6859e16bd38e1548bc46d03f422f0e32ff23b9e9e0b19064fe9a683a4
Instruction Fuzzy Hash: 6AF0A070125302CFCB34AF20D490892B7E4FF20319320897EE1DE86A10C7319899DF00

Function 00212DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00212DC4

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7e502d757d682a90ac21ed3f62666d674ffb5639456cf943fbb9903ebd32d7b3
Instruction ID: 27301cd435283ad3238cc8fab5b61120867e6bed3f134b9e35397e03bd5c5815
Opcode Fuzzy Hash: 7e502d757d682a90ac21ed3f62666d674ffb5639456cf943fbb9903ebd32d7b3
Instruction Fuzzy Hash: E1E0CD726042245BC72092589C09FEA77DDDFC8790F050071FD09E7248D970AD948950

Function 00282693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002826B5

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: d5e2f09d91c0e786cf93ca2a6d9cdeaef96cbf7d221bc4d475a97db637bf1049
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: E3E048B461A7109FDF396E28A8517B677D89F49300F00045EF59B82252E57268558B4D

Function 00212B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00213837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00213908

Part of subcall function 0021D730: GetInputState.USER32 ref: 0021D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00212B6B

Part of subcall function 002130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0021314E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2a0bce2f2a78fcd5f82a122f930f7ccaf44215a4c169115b91044a4d121ff006
Instruction ID: 779b4a871edb0532a56f7e0c205b4a1a660b2f01f1aac0f523ad737b3d7ae1cb
Opcode Fuzzy Hash: 2a0bce2f2a78fcd5f82a122f930f7ccaf44215a4c169115b91044a4d121ff006
Instruction Fuzzy Hash: F7E0263132424403CA04FB30B8565EDA3DA8BF5311F40043EF142872A2CE208AF94B52

Function 0025039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00250704,?,?,00000000,?,00250704,00000000,0000000C), ref: 002503B7

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ea445002bde49c3bab3b454ef7d9199a287928bad6714478596c5aa06edc7ead
Instruction ID: baf01df59aeb1f0ddb872ee9a0a888fd997e8c638a3b74c3c9c3c5667d799167
Opcode Fuzzy Hash: ea445002bde49c3bab3b454ef7d9199a287928bad6714478596c5aa06edc7ead
Instruction Fuzzy Hash: 34D06C3214020DBBDF028F84ED06EDA3BAAFB48714F114000BE1856020CB36E821AB90

Function 00211CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00211CBC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9d8edaa66bf0d57f85305a81de76b189912025cc34347705034425a56d15a6a1
Instruction ID: b8d2a3d7b9bf0a8ebf5aab62fa176ab5279e0799d613d512b71a994a616bb274
Opcode Fuzzy Hash: 9d8edaa66bf0d57f85305a81de76b189912025cc34347705034425a56d15a6a1
Instruction Fuzzy Hash: CBC09B352C0344DFF2144780BD8EF107754E348B00F944001F6097D5E3C7B11820D650

Function 0028744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00215745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0021949C,?,00008000), ref: 00215773

GetLastError.KERNEL32(00000002,00000000), ref: 002876DE

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: e23e4885e63145fa8537fd8503425e6c3444915bff1c3129859949e39e8ec597
Instruction ID: 25e7b7f26904bf4f70280b0b6378bcf5cb6b83b5819e4fa314aaedd2617dfc15
Opcode Fuzzy Hash: e23e4885e63145fa8537fd8503425e6c3444915bff1c3129859949e39e8ec597
Instruction Fuzzy Hash: 6081F1342297019FC714EF28C491AA9B3E5BF98300F14456DF8995B2E2DB30EDA4CF92

Non-executed Functions

Function 002A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002A96C9
SendMessageW.USER32 ref: 002A96F2
GetKeyState.USER32(00000011), ref: 002A978B
GetKeyState.USER32(00000009), ref: 002A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002A97AE
GetKeyState.USER32(00000010), ref: 002A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002A97E9
SendMessageW.USER32 ref: 002A9810
SendMessageW.USER32(?,00001030,?,002A7E95), ref: 002A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002A9941
SetCapture.USER32(?), ref: 002A994A
ClientToScreen.USER32(?,?), ref: 002A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A99D6
ReleaseCapture.USER32 ref: 002A99E1
GetCursorPos.USER32(?), ref: 002A9A19
ScreenToClient.USER32(?,?), ref: 002A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 002A9A80
SendMessageW.USER32 ref: 002A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 002A9AEB
SendMessageW.USER32 ref: 002A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002A9B4A
GetCursorPos.USER32(?), ref: 002A9B68
ScreenToClient.USER32(?,?), ref: 002A9B75
GetParent.USER32(?), ref: 002A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 002A9BFA
SendMessageW.USER32 ref: 002A9C2B
ClientToScreen.USER32(?,?), ref: 002A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 002A9CDE
SendMessageW.USER32 ref: 002A9D01
ClientToScreen.USER32(?,?), ref: 002A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002A9D82

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

GetWindowLongW.USER32(?,000000F0), ref: 002A9E05

Strings

@GUI_DRAGID, xrefs: 002A997D
F, xrefs: 002A9D07
p#., xrefs: 002A9990

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#.
API String ID: 3429851547-937396290
Opcode ID: a1a5f1595924ff8359a1c2b7bfb224fd3781551a97604a58a576c8cadaa1e73a
Instruction ID: 6afb493ba5878830b353c114947476335c2776e8426238414fad6b4f180f3f4c
Opcode Fuzzy Hash: a1a5f1595924ff8359a1c2b7bfb224fd3781551a97604a58a576c8cadaa1e73a
Instruction Fuzzy Hash: 3D42AF34614241AFD724CF25DC88EAABBE9FF8A710F200619F659872A1DB71D8B4CF51

Function 002A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 002A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 002A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 002A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 002A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 002A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 002A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002A4A7E
IsMenu.USER32(?), ref: 002A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002A4B20
GetWindowLongW.USER32(?,000000F0), ref: 002A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 002A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 002A4C82
wsprintfW.USER32 ref: 002A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 002A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 002A4D5A

Strings

%d/%02d/%02d, xrefs: 002A4CA8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2c3057a6d72e4af9b810d0de2e42db1f5317f054d1e4519db867669892a9a2af
Instruction ID: 95699d8ac82c11b9496c22f32373367133e119846621792dd646ee06b18a2513
Opcode Fuzzy Hash: 2c3057a6d72e4af9b810d0de2e42db1f5317f054d1e4519db867669892a9a2af
Instruction Fuzzy Hash: CA120231620215AFEB25AF24DC49FAE7BF8AF86710F104129F915EA2E1DFB4D950CB50

Function 0022F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0022F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026F474
IsIconic.USER32(00000000), ref: 0026F47D
ShowWindow.USER32(00000000,00000009), ref: 0026F48A
SetForegroundWindow.USER32(00000000), ref: 0026F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0026F4AA
GetCurrentThreadId.KERNEL32 ref: 0026F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0026F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0026F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0026F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0026F4DE
SetForegroundWindow.USER32(00000000), ref: 0026F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F4F6
keybd_event.USER32(00000012,00000000), ref: 0026F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F50B
keybd_event.USER32(00000012,00000000), ref: 0026F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F519
keybd_event.USER32(00000012,00000000), ref: 0026F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026F528
keybd_event.USER32(00000012,00000000), ref: 0026F52D
SetForegroundWindow.USER32(00000000), ref: 0026F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0026F557

Strings

Shell_TrayWnd, xrefs: 0026F46F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: afa36b9fd4189ff6c69c8206e7344af2c5506cbc171225bf1f539748a85a0742
Instruction ID: 2ed562cbe86142a877f1c3d2525f5205a6bac9966ea00637ee42536400f6d613
Opcode Fuzzy Hash: afa36b9fd4189ff6c69c8206e7344af2c5506cbc171225bf1f539748a85a0742
Instruction Fuzzy Hash: 35313E71A50218BBEF206FB56D4AFBF7E6CEB45B50F200065FA01F61D1CAB15D50AA60

Function 00271201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
Part of subcall function 002716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
Part of subcall function 002716C3: GetLastError.KERNEL32 ref: 0027174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00271286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002712A8
CloseHandle.KERNEL32(?), ref: 002712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002712D1
GetProcessWindowStation.USER32 ref: 002712EA
SetProcessWindowStation.USER32(00000000), ref: 002712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00271310

Part of subcall function 002710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002711FC), ref: 002710D4
Part of subcall function 002710BF: CloseHandle.KERNEL32(?,?,002711FC), ref: 002710E9

Strings

default, xrefs: 0027130B
Z-, xrefs: 00271392
, xrefs: 0027125A
winsta0, xrefs: 002712CC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z-
API String ID: 22674027-3054849001
Opcode ID: feede80a84ed1e12332e196520fcb0f03835ba148f3eccb8fd68a5318b07fa5a
Instruction ID: 6cd19b745ef50f7d26400e0bfd3eacf1f0120e0859a5cedc86557a29380135d7
Opcode Fuzzy Hash: feede80a84ed1e12332e196520fcb0f03835ba148f3eccb8fd68a5318b07fa5a
Instruction Fuzzy Hash: 5281AF7191020AAFDF219FA8DC49FEE7BB9EF05704F148129F918A61A0DB708964CF60

Function 00270B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
Part of subcall function 002710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
Part of subcall function 002710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
Part of subcall function 002710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00270BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00270C00
GetLengthSid.ADVAPI32(?), ref: 00270C17
GetAce.ADVAPI32(?,00000000,?), ref: 00270C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00270C6D
GetLengthSid.ADVAPI32(?), ref: 00270C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00270C8C
HeapAlloc.KERNEL32(00000000), ref: 00270C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00270CB4
CopySid.ADVAPI32(00000000), ref: 00270CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00270CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00270D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00270D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D45
HeapFree.KERNEL32(00000000), ref: 00270D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D55
HeapFree.KERNEL32(00000000), ref: 00270D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270D65
HeapFree.KERNEL32(00000000), ref: 00270D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00270D78
HeapFree.KERNEL32(00000000), ref: 00270D7F

Part of subcall function 00271193: GetProcessHeap.KERNEL32(00000008,00270BB1,?,00000000,?,00270BB1,?), ref: 002711A1
Part of subcall function 00271193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00270BB1,?), ref: 002711A8
Part of subcall function 00271193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00270BB1,?), ref: 002711B7

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b56a1218e9f42137b3874696181422bfe70dcab77d8c667182e2f3c1a2e0dc07
Instruction ID: 8ad556af6feab6ce9997c9092dc9f885812e84f4832ecaa8e5875e82bc0fe313
Opcode Fuzzy Hash: b56a1218e9f42137b3874696181422bfe70dcab77d8c667182e2f3c1a2e0dc07
Instruction Fuzzy Hash: 84715E7191020AEBDF10DFA4DC89FAEBBB8FF05310F148525F919A6291DB71A919CF60

Function 0028EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002ACC08), ref: 0028EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0028EB37
GetClipboardData.USER32(0000000D), ref: 0028EB43
CloseClipboard.USER32 ref: 0028EB4F
GlobalLock.KERNEL32(00000000), ref: 0028EB87
CloseClipboard.USER32 ref: 0028EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0028EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0028EBC9
GetClipboardData.USER32(00000001), ref: 0028EBD1
GlobalLock.KERNEL32(00000000), ref: 0028EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0028EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0028EC38
GetClipboardData.USER32(0000000F), ref: 0028EC44
GlobalLock.KERNEL32(00000000), ref: 0028EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0028EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0028ECF3
CountClipboardFormats.USER32 ref: 0028ED14
CloseClipboard.USER32 ref: 0028ED59

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b47f3396a2949740bf5953141ccf839dd1da4066c5ccaac03a0d80e35bf0eaea
Instruction ID: c4e8d7f1e38a0d444e582051ec53179d4493905a0befa21f3a36c837d3391b7e
Opcode Fuzzy Hash: b47f3396a2949740bf5953141ccf839dd1da4066c5ccaac03a0d80e35bf0eaea
Instruction Fuzzy Hash: 3161EE782143029FD700EF20D888F6AB7E8AF95714F194519F856872E2DF30D959CFA2

Function 0028698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002869BE
FindClose.KERNEL32(00000000), ref: 00286A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00286A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00286A75

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00286AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00286ADF

Strings

%03d, xrefs: 00286DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00286B32
%02d, xrefs: 00286C00, 00286C0A, 00286C5A, 00286CAA, 00286CFA, 00286D4A
%4d, xrefs: 00286BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00286B6A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6182303b19680c45ebd033aad3d48a5149a976a5d5ad1b7a5855b5681772edea
Instruction ID: 26ebaef20e0b2cc474a3bde585cf5a2f7e7243dcfe719507f80d523a83e32b60
Opcode Fuzzy Hash: 6182303b19680c45ebd033aad3d48a5149a976a5d5ad1b7a5855b5681772edea
Instruction Fuzzy Hash: 7BD16F72518300AFC314EBA0D895EAFB7ECAF98704F04492EF585D7191EB74DA94CB62

Function 00289642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00289663
GetFileAttributesW.KERNEL32(?), ref: 002896A1
SetFileAttributesW.KERNEL32(?,?), ref: 002896BB
FindNextFileW.KERNEL32(00000000,?), ref: 002896D3
FindClose.KERNEL32(00000000), ref: 002896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0028974A
SetCurrentDirectoryW.KERNEL32(002D6B7C), ref: 00289768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00289772
FindClose.KERNEL32(00000000), ref: 0028977F
FindClose.KERNEL32(00000000), ref: 0028978F

Strings

*.*, xrefs: 002896F5

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: ec834186ef073b227b9ff8d162f5016e21113984b9b21b18eaab3ce1f5daa090
Instruction ID: 898ad8c9159bcd1417db76adf9115c28ffd2b12cf9da9138a4ee90a821451c81
Opcode Fuzzy Hash: ec834186ef073b227b9ff8d162f5016e21113984b9b21b18eaab3ce1f5daa090
Instruction Fuzzy Hash: AA31B47652121A6BDB10AFB4EC0CAEE77AC9F4A320F184156E805E21D0EB30DD908B54

Function 0028979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00289819
FindClose.KERNEL32(00000000), ref: 00289824
FindFirstFileW.KERNEL32(*.*,?), ref: 00289840
SetCurrentDirectoryW.KERNEL32(?), ref: 00289890
SetCurrentDirectoryW.KERNEL32(002D6B7C), ref: 002898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002898B8
FindClose.KERNEL32(00000000), ref: 002898C5
FindClose.KERNEL32(00000000), ref: 002898D5

Part of subcall function 0027DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0027DB00

Strings

*.*, xrefs: 0028983B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 66ba20e1027f161f2b9710a1e03a5832a7fad76275368686edbd6c6804fbda08
Instruction ID: e66f2eafcb030a3f2aaca1957fea26586a33bc54d391b60e80aa37849f2e811f
Opcode Fuzzy Hash: 66ba20e1027f161f2b9710a1e03a5832a7fad76275368686edbd6c6804fbda08
Instruction Fuzzy Hash: 7731803551261B6BEF10AFA4EC48AEE77AC9F06324F284156E814A21D0DB70DEA4CF60

Function 00288195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00288257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00288267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00288273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00288310
SetCurrentDirectoryW.KERNEL32(?), ref: 00288324
SetCurrentDirectoryW.KERNEL32(?), ref: 00288356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0028838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00288395

Strings

*.*, xrefs: 0028839B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b286847d7fc5135ec358afc61ead52976c4592fba277458fb64505180d8f8e8c
Instruction ID: d7ab884ca754347354850512266e8b9d9c2afa675557839a7367c8dae3a85a12
Opcode Fuzzy Hash: b286847d7fc5135ec358afc61ead52976c4592fba277458fb64505180d8f8e8c
Instruction Fuzzy Hash: FF61ACB65243459FCB10EF20C8449AEB3E8FF89310F44885EF98983251EB31E965CF92

Function 0027D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

FindFirstFileW.KERNEL32(?,?), ref: 0027D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0027D1DD
MoveFileW.KERNEL32(?,?), ref: 0027D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D237

Part of subcall function 0027D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0027D21C,?,?), ref: 0027D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0027D253
FindClose.KERNEL32(00000000), ref: 0027D264

Strings

\*.*, xrefs: 0027D0CD, 0027D0D6, 0027D0EB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3aa6a6716d440a9b7d7be360b9d0227de1c5ef10d7a84ecad04b41d6b9321e2b
Instruction ID: a54118f6fa08ef0dd937775ea9ceac2e33192f904335ae6911637aa506b30f2c
Opcode Fuzzy Hash: 3aa6a6716d440a9b7d7be360b9d0227de1c5ef10d7a84ecad04b41d6b9321e2b
Instruction Fuzzy Hash: DA617E3181114D9BCF05EFE0D9529EDB7B5AF25300F2480A5E80A77192EB316FA9CF60

Function 0028ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0028ED91
EmptyClipboard.USER32 ref: 0028ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0028EDAC
CloseClipboard.USER32 ref: 0028EEA3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fe4c36a41a3c9f4c551ce1e6a17de686481ca3eb81cbade733e65bec24517a38
Instruction ID: ee774e7a52bb267f5f7e0f8970b8b6ad821fefea6faeeb7c4a6702f44f4c2862
Opcode Fuzzy Hash: fe4c36a41a3c9f4c551ce1e6a17de686481ca3eb81cbade733e65bec24517a38
Instruction Fuzzy Hash: F841CF79215612AFD710EF15E888F19BBE5EF45328F25C099E4158B6A2CB31EC52CF90

Function 0027E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
Part of subcall function 002716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
Part of subcall function 002716C3: GetLastError.KERNEL32 ref: 0027174A

ExitWindowsEx.USER32(?,00000000), ref: 0027E932

Strings

@, xrefs: 0027E925
, xrefs: 0027E920
, xrefs: 0027E95C
SeShutdownPrivilege, xrefs: 0027E902

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f9bbe3c6180fe11c4a66285237b9542f8ec5dc38336df8c6388d13cba8211ada
Instruction ID: bab577856d3a057f208f49c66238a399c7c93df93a1defbd28cc152803e8e6aa
Opcode Fuzzy Hash: f9bbe3c6180fe11c4a66285237b9542f8ec5dc38336df8c6388d13cba8211ada
Instruction Fuzzy Hash: 4901DB73630211EBEF542674AC89BBB725C9B18750F168462FE06E21D1DAB05C6086B0

Function 00291204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00291276
WSAGetLastError.WSOCK32 ref: 00291283
bind.WSOCK32(00000000,?,00000010), ref: 002912BA
WSAGetLastError.WSOCK32 ref: 002912C5
closesocket.WSOCK32(00000000), ref: 002912F4
listen.WSOCK32(00000000,00000005), ref: 00291303
WSAGetLastError.WSOCK32 ref: 0029130D
closesocket.WSOCK32(00000000), ref: 0029133C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6ce9a9f2e9f8300048b9d258b30cfbc99bb9c3ef3b3ada305ce8b08ef779e9c5
Instruction ID: 144c91d78e7858ed054b337d569a20ed7e9d946651188019e3134c7f2a5d8ab9
Opcode Fuzzy Hash: 6ce9a9f2e9f8300048b9d258b30cfbc99bb9c3ef3b3ada305ce8b08ef779e9c5
Instruction Fuzzy Hash: 1E419231A101129FDB10EF25D488B69BBF6BF46318F288198D8568F2D6C775EC91CBE1

Function 0024B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0024B9D4
_free.LIBCMT ref: 0024B9F8
_free.LIBCMT ref: 0024BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002B3700), ref: 0024BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0024BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002E1270,000000FF,?,0000003F,00000000,?), ref: 0024BC36
_free.LIBCMT ref: 0024BD4B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8a902094681f16424cf997a5d530d58bde7b50f03593375d5124035f6232016d
Instruction ID: c05ae07a84cabc69aa84733f3f2fa7c350e74bd5c24e96aeb04841f629aae19b
Opcode Fuzzy Hash: 8a902094681f16424cf997a5d530d58bde7b50f03593375d5124035f6232016d
Instruction Fuzzy Hash: 92C16C71924256AFCB2ADF39DC85BAE7BB8EF41310F1441AAE990DB251D730CE61CB50

Function 0027D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

FindFirstFileW.KERNEL32(?,?), ref: 0027D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D481
FindClose.KERNEL32(00000000), ref: 0027D498
FindClose.KERNEL32(00000000), ref: 0027D4A1

Strings

\*.*, xrefs: 0027D3F2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 932e10365b765dfec63fbaf75f573f4390684fc42b2ba212b42f2e0374aad76f
Instruction ID: 30605bab8f5b54346aa228b64d2e8fec828e5840bfacd42620055cdb5d7f8659
Opcode Fuzzy Hash: 932e10365b765dfec63fbaf75f573f4390684fc42b2ba212b42f2e0374aad76f
Instruction Fuzzy Hash: 573192710283459BC300EF64D8658EF77E8BEA2310F44891DF4D552191EB30AA59DB63

Function 0024E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0024E645

Strings

1#IND, xrefs: 0024F83D
1#INF, xrefs: 0024F852
1#SNAN, xrefs: 0024F844
1#QNAN, xrefs: 0024F84B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6ed72740656227169ae0293a133a3de193c6c532380852a36dd952860dd02c6f
Instruction ID: b6ff2753abe119c877b8b54b1dbaa8569ebfe60bed8149c4f7c14885a5937232
Opcode Fuzzy Hash: 6ed72740656227169ae0293a133a3de193c6c532380852a36dd952860dd02c6f
Instruction Fuzzy Hash: 63C23872E246298FDF69CE289D407EAB7B5FB84304F1541EAD84DE7240E774AE918F40

Function 0028648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002864DC
CoInitialize.OLE32(00000000), ref: 00286639
CoCreateInstance.OLE32(002AFCF8,00000000,00000001,002AFB68,?), ref: 00286650
CoUninitialize.OLE32 ref: 002868D4

Strings

.lnk, xrefs: 002864BA, 00286524, 002865E0

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 10f5b545aac0385c55835d68f96627a8810c109774c6463e03850aaf915e7639
Instruction ID: 8ca658d1ac5b6533b271f2ed024eb0b2f1bcd3f95d267cd2ce7628ed07c458d8
Opcode Fuzzy Hash: 10f5b545aac0385c55835d68f96627a8810c109774c6463e03850aaf915e7639
Instruction Fuzzy Hash: C3D17975528301AFC310EF24C8859ABB7E8FF98304F50496DF5958B2A1EB30ED59CB92

Function 002922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002922E8

Part of subcall function 0028E4EC: GetWindowRect.USER32(?,?), ref: 0028E504

GetDesktopWindow.USER32 ref: 00292312
GetWindowRect.USER32(00000000), ref: 00292319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00292355
GetCursorPos.USER32(?), ref: 00292381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002923DF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e630619076ddf0237c2e4a92532b1fa9b20cf2bc5229e0a70a8997f0dbcdc198
Instruction ID: 92d820f0d036a023c4dcc5da5dbe189f259cc3d27733111442d398955f1ec852
Opcode Fuzzy Hash: e630619076ddf0237c2e4a92532b1fa9b20cf2bc5229e0a70a8997f0dbcdc198
Instruction Fuzzy Hash: 67310072504306AFDB20DF14DC09B5BBBADFF88310F100919F988A7181DB34EA18CB96

Function 00289B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00289B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00289C8B

Part of subcall function 00283874: GetInputState.USER32 ref: 002838CB
Part of subcall function 00283874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00283966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00289BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00289C75

Strings

*.*, xrefs: 00289B5D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 585748db7f2e0e373ffd375c608d719f4b42346970729b3c2544c5373e90883a
Instruction ID: 9327834e17a9402cd89175bdf63733336818939da07d3de1ec1ec88e5bd8e1bb
Opcode Fuzzy Hash: 585748db7f2e0e373ffd375c608d719f4b42346970729b3c2544c5373e90883a
Instruction Fuzzy Hash: 7741827591120AAFCF15EFA4C849AEE7BF4EF19310F244056E805A21D1EB319EE4CF60

Function 0022997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00229A4E
GetSysColor.USER32(0000000F), ref: 00229B23
SetBkColor.GDI32(?,00000000), ref: 00229B36

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f7527c4cc2f5d01fca5c84194e1dd5bfbc3c3da39c3370e6cf6b239299bbc8ec
Instruction ID: ed180eb8977807faedbe87c208f613336862b157d004fe6d6caae91e79b2026c
Opcode Fuzzy Hash: f7527c4cc2f5d01fca5c84194e1dd5bfbc3c3da39c3370e6cf6b239299bbc8ec
Instruction Fuzzy Hash: 07A13770138561BEE729AEACBC98E7B269DDF43304F140219F402D6591CE659DF1C671

Function 00291806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029304E: inet_addr.WSOCK32(?), ref: 0029307A
Part of subcall function 0029304E: _wcslen.LIBCMT ref: 0029309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0029185D
WSAGetLastError.WSOCK32 ref: 00291884
bind.WSOCK32(00000000,?,00000010), ref: 002918DB
WSAGetLastError.WSOCK32 ref: 002918E6
closesocket.WSOCK32(00000000), ref: 00291915

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1188f56b3dce7620b8590e9539d5105563f02a2672fafec472f29d647be5bc9e
Instruction ID: 705ca92d50a9ba48dd23a800e0d489c1e8c94aac3178949849dd17955b047ac8
Opcode Fuzzy Hash: 1188f56b3dce7620b8590e9539d5105563f02a2672fafec472f29d647be5bc9e
Instruction Fuzzy Hash: AE51E375A10210AFEB10AF24D88AF6AB7E5AF44718F148098F9155F3D3CB71ED61CBA1

Function 002A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A1CC0
IsWindowEnabled.USER32 ref: 002A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 002A1CDB
IsIconic.USER32 ref: 002A1CE9
IsZoomed.USER32 ref: 002A1CF7

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e96805648e9a367142e0fd321a30a6e616d8a8c62e1cc6f1f1c01aa16328263d
Instruction ID: 317ec37c70687b41fa482f75921c61d2dd96266102fb0f451d510cabbe0aefbd
Opcode Fuzzy Hash: e96805648e9a367142e0fd321a30a6e616d8a8c62e1cc6f1f1c01aa16328263d
Instruction Fuzzy Hash: 5821E7317506119FD7208F1AD844B667BE6EF96334F28805AE846CB351CF71DC62CB91

Function 00218060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002183E8
VUUU, xrefs: 00255DF0
VUUU, xrefs: 002183FA
ERCP, xrefs: 0021813C
VUUU, xrefs: 0021843C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4435246b69d78788ac4040c38a2ac2c11d740a8ec452b57b5d4d55799c83ff20
Instruction ID: 9ff60f7a1cb02dc6ed5bf0175705a5daeba9c298f70dd20d45cd25dad75036fa
Opcode Fuzzy Hash: 4435246b69d78788ac4040c38a2ac2c11d740a8ec452b57b5d4d55799c83ff20
Instruction Fuzzy Hash: 80A2BF70E2021ACBDF24CF58C8947EDB3B1BB64311F64819AEC15A7284EB709DE5CB94

Function 00278298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002782AA

Strings

(, xrefs: 002782F0
tb-, xrefs: 002784F4
|, xrefs: 002782DA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: lstrlen
String ID: ($tb-$|
API String ID: 1659193697-4172324640
Opcode ID: 4b29ac8c6af638fcbe52580df4f7d420005879cc2166f025ce9f5fc16492b7f5
Instruction ID: 9f0eac93659cb08195943896d1b28ce548a3453ab843949e769010ad8c030c90
Opcode Fuzzy Hash: 4b29ac8c6af638fcbe52580df4f7d420005879cc2166f025ce9f5fc16492b7f5
Instruction Fuzzy Hash: 34324774A107069FCB28CF59C08596AB7F0FF48710B15C56EE49ADB7A1EB70E951CB40

Function 0029A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0029A6BA

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Process32NextW.KERNEL32(00000000,?), ref: 0029A79C
CloseHandle.KERNEL32(00000000), ref: 0029A7AB

Part of subcall function 0022CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00253303,?), ref: 0022CE8A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: af5b9647ba4ad71f0f4889353577e79691be791b2f25aad69e3906c7cb9a7505
Instruction ID: 405147b5c0a672c197a608da1a343dd869c0678c7f280442cea7a78933d08bd7
Opcode Fuzzy Hash: af5b9647ba4ad71f0f4889353577e79691be791b2f25aad69e3906c7cb9a7505
Instruction Fuzzy Hash: AE516B71518300AFD710EF24D886AABBBE8FF99754F00892DF58997252EB30D954CF92

Function 0027AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0027AAAC
SetKeyboardState.USER32(00000080), ref: 0027AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0027AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0027AB88

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4922138acab110877c0c034e6c8dd5ce254f72a1edd92a22304851d8520de795
Instruction ID: 7aaecf49d6ae20f5070db603f6d22c889290e6f01279902722b918fa04f9b398
Opcode Fuzzy Hash: 4922138acab110877c0c034e6c8dd5ce254f72a1edd92a22304851d8520de795
Instruction Fuzzy Hash: 1D311730A60209AFEB25CE64C805BFE77A6ABE5334F14D21AF189521D0D77489A1C752

Function 0028CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0028CE89
GetLastError.KERNEL32(?,00000000), ref: 0028CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0028CEFE

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dd9e5ebad0191d981bb866c30147b8bd4059a1b6a572059c857ae26c842106c0
Instruction ID: 22312d17f8614a1ff785c1af202eccc6f4b075f601ad8c1bcb2639fac22ba225
Opcode Fuzzy Hash: dd9e5ebad0191d981bb866c30147b8bd4059a1b6a572059c857ae26c842106c0
Instruction Fuzzy Hash: 7221CFB5521306ABEB30EF65D948BA7B7FCEB50314F20442EE646D2191EB74EE148F60

Function 00285C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00285CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00285D17
FindClose.KERNEL32(?), ref: 00285D5F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 806f5413a8ad12444d0d264cb92b489612ed051c38b2c418ce291b0c3c521584
Instruction ID: 2b8f0068cf5bd13d5e6b4dfb87201f4a4f5f04f36a90a15b50c75e9a41db0575
Opcode Fuzzy Hash: 806f5413a8ad12444d0d264cb92b489612ed051c38b2c418ce291b0c3c521584
Instruction Fuzzy Hash: 8E51BC786146029FC714DF28C484E96B7E4FF4A314F14855EE95A8B3A2CB30ED64CF91

Function 00242622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0024271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00242724
UnhandledExceptionFilter.KERNEL32(?), ref: 00242731

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 14fd6687245d2bf9667710d862eb3d2b010f8b1676dcdeb588643f7ec9c1ffbd
Instruction ID: b85e87645019ec2925a4ec7fa819e7e8a09cfbb8344e0b8862d071c02a5b5bde
Opcode Fuzzy Hash: 14fd6687245d2bf9667710d862eb3d2b010f8b1676dcdeb588643f7ec9c1ffbd
Instruction Fuzzy Hash: 6531D57491121D9BCB21DF64DD887DCBBB8AF08310F5041EAE80CA7260EB309F958F44

Function 002851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00285238
SetErrorMode.KERNEL32(00000000), ref: 002852A1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4b48a2080170cf7aacc57ba9e99d9ae6f9bb136f13e0d2ab11161ea7005eb58c
Instruction ID: 2c19c4d6e157c73c1b3dcbe50496baed4ac2797b205e95ea86fc943f998df34a
Opcode Fuzzy Hash: 4b48a2080170cf7aacc57ba9e99d9ae6f9bb136f13e0d2ab11161ea7005eb58c
Instruction Fuzzy Hash: 2B314F75A10518DFDB00DF54D888EADBBF4FF49314F148099E8099B3A6DB31E856CB50

Function 002716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0022FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00230668
Part of subcall function 0022FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00230685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027173A
GetLastError.KERNEL32 ref: 0027174A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1fd3e9b30ff921f6140aa5574b7f51372b03e83a6b8ffb8263cfec62b8639b46
Instruction ID: 71526911a19d54129504eb780207cb9ec1a28e43f6a485050dbfc168d9fb4f26
Opcode Fuzzy Hash: 1fd3e9b30ff921f6140aa5574b7f51372b03e83a6b8ffb8263cfec62b8639b46
Instruction Fuzzy Hash: C61191B2424305BFD7189F54EC86D6BB7BDEF45714B20C56EF05657241EB70BC618A20

Function 0027D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0027D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0027D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0027D650

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 848456fc179d357fe1ee47325f6eef4642c790e4c7b4f16ab40b5483b9492ca5
Instruction ID: fc6a81c3369f35ab7e1d606b71ed3701916a5c232774a3009e559b5874338cad
Opcode Fuzzy Hash: 848456fc179d357fe1ee47325f6eef4642c790e4c7b4f16ab40b5483b9492ca5
Instruction Fuzzy Hash: C5116175E05228BFDB108F95EC49FAFBFBCEB45B50F108155F908E7290D6704A058BA1

Function 00271663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0027168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002716A1
FreeSid.ADVAPI32(?), ref: 002716B1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 33c6148f5416482cb1b6e3f7bd11b0b25be6c06979b23af07ce2b0276050a46c
Instruction ID: b1d22248fbb7fedb4fa22c9e4da0302845a70e491121ee964fdd6716ed2b6a81
Opcode Fuzzy Hash: 33c6148f5416482cb1b6e3f7bd11b0b25be6c06979b23af07ce2b0276050a46c
Instruction Fuzzy Hash: 26F0F47195030DFBDB00DFE49C89AAEBBBCEB08604F608565E501E2181E774AA448A50

Function 00234CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000,?,002428E9), ref: 00234D09
TerminateProcess.KERNEL32(00000000,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000,?,002428E9), ref: 00234D10
ExitProcess.KERNEL32 ref: 00234D22

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6af6fb33caa57ee31b15f0e870a26a7b9b468ecbadae8905e0eca8a5625c773f
Instruction ID: edf255b932748bfdb168af83c11c90475531751bd2a6083585b8f88cb655af18
Opcode Fuzzy Hash: 6af6fb33caa57ee31b15f0e870a26a7b9b468ecbadae8905e0eca8a5625c773f
Instruction Fuzzy Hash: FEE0B671010149ABCF11BF54ED0DA593B69EB46781F204094FC099A132CF35ED62CE80

Function 0024C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0024C36C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 6520880e59dcae70c9881204879e8e0d510b5e37f5657078ce22b51062cd208b
Instruction ID: 59e6264159e2e461a715c6cd40b28cfe56131a7935bb9dccf36382bff4493412
Opcode Fuzzy Hash: 6520880e59dcae70c9881204879e8e0d510b5e37f5657078ce22b51062cd208b
Instruction Fuzzy Hash: 9B416C7291121AAFCB28DFBDDC48EBB7B78EB84314F2042A9F905C7180E6709D50CB50

Function 0026D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0026D28C

Strings

X64, xrefs: 0026D2A8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2ac6dc8aa9446ed32d07386747c7d0f67484d8f408d99116242a383f12f73cb9
Instruction ID: 35d64401a73fb36544bacfe4ac377f200263269887baf330721c2f331ead62e6
Opcode Fuzzy Hash: 2ac6dc8aa9446ed32d07386747c7d0f67484d8f408d99116242a383f12f73cb9
Instruction Fuzzy Hash: C3D0C9B482516DEBCB90CB90EC88DD9B37CBB04305F100151F506A2000DB7096488F10

Function 0023CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bf09ed8c9746f99418ebe908a1f45a77062fc60f4a97dd1f4bbf4101515f712c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 53021DB2E102199FDF14CFA9C8806ADFBF5EF48324F25816AD819F7384D731A9518B94

Function 0021CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#., xrefs: 0021CF7F
Variable is not of type 'Object'., xrefs: 00260C40

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#.
API String ID: 0-2365962978
Opcode ID: 813536169a1568fb91857c590b0e7f1b6ad63ccab5394352436294d3eb3ff110
Instruction ID: c4bc6f724de54e7c7575e6462637e3283b11295eb3808ebc6d48451917c882fa
Opcode Fuzzy Hash: 813536169a1568fb91857c590b0e7f1b6ad63ccab5394352436294d3eb3ff110
Instruction Fuzzy Hash: 2E32AE74960219DBCF14DF90D881AEEB7F5FF24304F20405AE806AB292D771AEA6DF50

Function 002868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00286918
FindClose.KERNEL32(00000000), ref: 00286961

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cb92780e3fd2d62d2ec6eb52ce89e3d25a4b76f46219c4e8d5c9fb03277b53c2
Instruction ID: 5938a820a7d811f1ca063cf194a096bf58ea478e7144e416c6e838d317ec93fc
Opcode Fuzzy Hash: cb92780e3fd2d62d2ec6eb52ce89e3d25a4b76f46219c4e8d5c9fb03277b53c2
Instruction Fuzzy Hash: E01190356142019FC710DF29D488A16BBE5FF85328F14C699E8698F7A2CB30EC55CB91

Function 002837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00294891,?,?,00000035,?), ref: 002837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00294891,?,?,00000035,?), ref: 002837F4

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dc1d64555999c368520e0f2d12512daf45ca0a219d81a8cf0da919615b3fdb7a
Instruction ID: c5d6cc42b79fe6b086df1262d8e5f9467a83d855c4bafb169f1d10e1468b6bd6
Opcode Fuzzy Hash: dc1d64555999c368520e0f2d12512daf45ca0a219d81a8cf0da919615b3fdb7a
Instruction Fuzzy Hash: E3F0E5B46153292BEB2067669C4DFEB7AEEEFC5B61F000175F909D22C1D9A09D44CBB0

Function 0027B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0027B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0027B270

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 98cafa292266ad9cb427ec8a0df8dd0f2119e0ae2296bf3a245d0df7714cdc57
Instruction ID: da59271a75e726464f8446dd9b3cc857d2fe7ff626842db19ced525ae560d42c
Opcode Fuzzy Hash: 98cafa292266ad9cb427ec8a0df8dd0f2119e0ae2296bf3a245d0df7714cdc57
Instruction Fuzzy Hash: 4EF01D7181424EABDB059FA0D805BBE7BB4FF05309F10800AF955A5192C7798611DF94

Function 002710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002711FC), ref: 002710D4
CloseHandle.KERNEL32(?,?,002711FC), ref: 002710E9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6731a8a36ed6e49eb5f71435b8673b353b086de9c41d6aeefd0c2129fc046ae3
Instruction ID: eaffb27e65942f7342e1b3dcc0d55683ebf2dc44e56b8ab9721187d6ee9f48a8
Opcode Fuzzy Hash: 6731a8a36ed6e49eb5f71435b8673b353b086de9c41d6aeefd0c2129fc046ae3
Instruction Fuzzy Hash: 57E04F32028610BFE7252B51FD09E7377A9EF04310B20882DF4A6804B1DF626CA0DB10

Function 0024676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00246766,?,?,00000008,?,?,0024FEFE,00000000), ref: 00246998

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8cf31f1b94a2b8d07c86ca1add1d6356ceccac56186a76c73fbcb05a1e2dc65b
Instruction ID: 08beacb2ef623bd70fdd82722c9c9645b304022442204fbb4170fa81650a91f4
Opcode Fuzzy Hash: 8cf31f1b94a2b8d07c86ca1add1d6356ceccac56186a76c73fbcb05a1e2dc65b
Instruction Fuzzy Hash: 53B18C31620609CFD719CF28C48AB647BE0FF46364F25C658E899CF2A2C375E9A5CB41

Function 0022B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0026851F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3dd5f34b3248f46a47fbbd65347f5910078583e8689f94653514a5caafdcca3f
Instruction ID: 06d7625aabffd61325475633162f3145ce9230e803e39c5b8758c4d19437fdf5
Opcode Fuzzy Hash: 3dd5f34b3248f46a47fbbd65347f5910078583e8689f94653514a5caafdcca3f
Instruction Fuzzy Hash: D5127071D202299BCB25DF98D8906EEB7F5FF48310F14819AE849EB251DB709E91CF90

Function 0028EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0028EABD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dd4235acb02c4dad0fe73589f4883a4abf938ce12e46a7d367ce397005ac5a12
Instruction ID: 654c9aabeada4aeefafd31a354982f1a4a929a6420f140fde3506066dacb98db
Opcode Fuzzy Hash: dd4235acb02c4dad0fe73589f4883a4abf938ce12e46a7d367ce397005ac5a12
Instruction Fuzzy Hash: 73E048352202049FC710EF59D404D9AF7EDAF98760F118416FC45C7391DB70E8518F90

Function 002309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002303EE), ref: 002309DA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca02e44bc7d7eb8a85ddb4d5f7d139ac9f1d1ba55452736ccf3f90e736b90aee
Instruction ID: 05a9182b52d48c61eb8be5851d042debc891f78779f7f5dd471cd548cea9368e
Opcode Fuzzy Hash: ca02e44bc7d7eb8a85ddb4d5f7d139ac9f1d1ba55452736ccf3f90e736b90aee
Instruction Fuzzy Hash:

Function 0023781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0023798B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6084aecbe132c824ed6addc9d39ce936c67f67ad4439630084117d0e1ec7e9aa
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B7516CF163C7476BDF384D68445E7BE63D99B02300F180A1AE982DB282C655DE35F752

Function 00282046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&., xrefs: 00282053

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: 0&.
API String ID: 0-3290608233
Opcode ID: e2bd9f59836ef480e1152d72a794c3f13bfcb921825691dcbc51e82ef50b11d0
Instruction ID: a2d997bc544fc6d9022ba513d93bf0a351408078762aa80738e1889bb1874412
Opcode Fuzzy Hash: e2bd9f59836ef480e1152d72a794c3f13bfcb921825691dcbc51e82ef50b11d0
Instruction Fuzzy Hash: F721EB32661611CBDB28CF79C85367E73E9A764310F15862EE4A7C77D0DE75A908CB80

Function 00246DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f9e7defc78e6c82488fd520e517ad57900ad331f23a3ff890ef3147ed693cc
Instruction ID: 394557d48c2abf37fa427b91834f267587b5edf3527eabd23eb58cd8d0e118b5
Opcode Fuzzy Hash: 22f9e7defc78e6c82488fd520e517ad57900ad331f23a3ff890ef3147ed693cc
Instruction Fuzzy Hash: 69324522D39F024DDB279A34DC26336A64DAFB73C5F15C737E82AB59A5EB28D4834100

Function 0022CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb18eadb11cd3972d5885ff0be33251cce0a3438de8d985364723b298362979
Instruction ID: c3c95aea608ec4dea549200be222215867ef0c57b022b54e653433f5ba90e59e
Opcode Fuzzy Hash: 9bb18eadb11cd3972d5885ff0be33251cce0a3438de8d985364723b298362979
Instruction Fuzzy Hash: B3321431A341569BCF28EFA8D49467D7BA1EB45304F38816BD4CACB2A1D630DEE1DB41

Function 00217920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c47a1ef5983a2ffb74b002efdf6fd97995228545fec66147a8d0818e99f6ed8
Instruction ID: ed9603bcdb7b3f70ea9d0cf7039c60b8d428bd7f6b3ceb08d9f3de4efa2f392e
Opcode Fuzzy Hash: 6c47a1ef5983a2ffb74b002efdf6fd97995228545fec66147a8d0818e99f6ed8
Instruction Fuzzy Hash: 6722E2B0A2461AEFDF04CFA4D991AEEB3F5FF54300F104129E816A7290EB359E64CB54

Function 002191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cd6fd182c797fb14de8ff4ef4637120df5148904127ce59b94edd3249bcb5f
Instruction ID: b1bd376c0d9046d0bcaad5e7f324b6e3fcde691f40c879180a4d5ff02be61bcc
Opcode Fuzzy Hash: 91cd6fd182c797fb14de8ff4ef4637120df5148904127ce59b94edd3249bcb5f
Instruction Fuzzy Hash: A202C4B1E20106EBDF04DF64D981AAEB7B5FF54300F118169E8169B290EB71AE74CF85

Function 00231C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4c1778dfd5e0de28fdebff58a67669e063f39ade0788e3202b401bd599a12a6e
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: AE918BB35280A34ADB6D4A3E857407EFFE15A523A1B1A079ED4F2CB1C5FE14C974D620

Function 002319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8a573fda305b16e433452b8577e2d088c177a49760f3945882ad5b7f7c179e30
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A19167B22290E34EDB2D4A7A857403DFFE15A923A6B1A079ED4F2CA1C1FD14C574D620

Function 00237A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3aff83a684c57745615ff1127d87380247672936c9d5234bcc30e432da11b00
Instruction ID: addd47b445f16f2540c75106c4f74d686f9c8e16dbb5d8ce36edf004243bddc5
Opcode Fuzzy Hash: b3aff83a684c57745615ff1127d87380247672936c9d5234bcc30e432da11b00
Instruction Fuzzy Hash: E46159F123870B66DE349E288895BBEA3AADF41708F14091AF843DF281DA519E72C755

Function 00237CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24180d17b45cb3cf8b653d2c5d6b17869e136988f6952e4ea8567dce280473c
Instruction ID: 593773a6f026589c3e681a186ae6b114c92b5ac2c378828e89cdd315465a033d
Opcode Fuzzy Hash: c24180d17b45cb3cf8b653d2c5d6b17869e136988f6952e4ea8567dce280473c
Instruction Fuzzy Hash: F26168F163870F66DE389E288896BBE23989F42700F10095AF943DF281DB52DD72C655

Function 00231706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7bc20f6363384791c3fe7021d0a7510caa14813600979fbe7c25b52ffa8a1e22
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 438188B36290A34DEB6D4A3A853453EFFE15A923A1B1E079DD4F2CB1C1EE14C574D620

Function 00292ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00292B30
DeleteObject.GDI32(00000000), ref: 00292B43
DestroyWindow.USER32 ref: 00292B52
GetDesktopWindow.USER32 ref: 00292B6D
GetWindowRect.USER32(00000000), ref: 00292B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00292CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00292CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292CF8
GetClientRect.USER32(00000000,?), ref: 00292D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00292D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292DA8
GlobalFree.KERNEL32(00000000), ref: 00292DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,002AFC38,00000000), ref: 00292DDB
GlobalFree.KERNEL32(00000000), ref: 00292DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00292E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00292E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00292E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029303F

Strings

, xrefs: 00292FC5
static, xrefs: 00292D3A, 00292E91
AutoIt v3, xrefs: 00292CF2
DISPLAY, xrefs: 00292EA2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 94aeda847545404bc020d4d7d801710af41ec4c9ea43d2ecc57d5b7591ae7634
Instruction ID: d6108907ebccb0e4b19cd132c356b75d8634b6279a0c186dbfd59285515915ee
Opcode Fuzzy Hash: 94aeda847545404bc020d4d7d801710af41ec4c9ea43d2ecc57d5b7591ae7634
Instruction Fuzzy Hash: 03028971A10205EFDB14DF64DC8DEAE7BB9EB49710F108158F915AB2A1DB70AD11CFA0

Function 002A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002A712F
GetSysColorBrush.USER32(0000000F), ref: 002A7160
GetSysColor.USER32(0000000F), ref: 002A716C
SetBkColor.GDI32(?,000000FF), ref: 002A7186
SelectObject.GDI32(?,?), ref: 002A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 002A71C0
GetSysColor.USER32(00000010), ref: 002A71C8
CreateSolidBrush.GDI32(00000000), ref: 002A71CF
FrameRect.USER32(?,?,00000000), ref: 002A71DE
DeleteObject.GDI32(00000000), ref: 002A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 002A7230
FillRect.USER32(?,?,?), ref: 002A7262
GetWindowLongW.USER32(?,000000F0), ref: 002A7284

Part of subcall function 002A73E8: GetSysColor.USER32(00000012), ref: 002A7421
Part of subcall function 002A73E8: SetTextColor.GDI32(?,?), ref: 002A7425
Part of subcall function 002A73E8: GetSysColorBrush.USER32(0000000F), ref: 002A743B
Part of subcall function 002A73E8: GetSysColor.USER32(0000000F), ref: 002A7446
Part of subcall function 002A73E8: GetSysColor.USER32(00000011), ref: 002A7463
Part of subcall function 002A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7471
Part of subcall function 002A73E8: SelectObject.GDI32(?,00000000), ref: 002A7482
Part of subcall function 002A73E8: SetBkColor.GDI32(?,00000000), ref: 002A748B
Part of subcall function 002A73E8: SelectObject.GDI32(?,?), ref: 002A7498
Part of subcall function 002A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002A74B7
Part of subcall function 002A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A74CE
Part of subcall function 002A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002A74DB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ce0a0eaac381313a8df8e27fee61ff6d43e18963cace5fc7025f1461f8c52c4c
Instruction ID: fdd217266808b271caa47bff8f9fbc6d5ee379c6e4f86846829d51ce20e8517f
Opcode Fuzzy Hash: ce0a0eaac381313a8df8e27fee61ff6d43e18963cace5fc7025f1461f8c52c4c
Instruction Fuzzy Hash: 24A1A372518301AFDB009F60EC4CA5BBBE9FF4A320F200A19F966A61E1DB71E954CF51

Function 00228D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00228E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00266AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00266AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00266F43

Part of subcall function 00228F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00228BE8,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 00228FC5

SendMessageW.USER32(?,00001053), ref: 00266F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00266F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00266FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00266FB7

Strings

0, xrefs: 00266DCF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 3308f2f02d27b7a89766bdc5bca95e57f4c1d2e0005646d7b35ecaf4084c5529
Instruction ID: 0c0aa88ebe893425b0f352fef5591e9110af49aa4e278df52fdd9cfd8194f6f8
Opcode Fuzzy Hash: 3308f2f02d27b7a89766bdc5bca95e57f4c1d2e0005646d7b35ecaf4084c5529
Instruction Fuzzy Hash: 9D129B30621252EFD729CF24E888BA9B7E5BB45300F154469F4859B662CB72ECB1CF91

Function 00292711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0029273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0029286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00292900
GetClientRect.USER32(00000000,?), ref: 0029290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00292955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00292964
GetStockObject.GDI32(00000011), ref: 00292974
SelectObject.GDI32(00000000,00000000), ref: 00292978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00292988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00292991
DeleteDC.GDI32(00000000), ref: 0029299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00292A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00292A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00292A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00292A77
GetStockObject.GDI32(00000011), ref: 00292A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00292A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00292A97

Strings

msctls_progress32, xrefs: 00292A13
static, xrefs: 0029294F, 00292A71
AutoIt v3, xrefs: 002928F8
DISPLAY, xrefs: 0029295A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1746e4c7bee64475d1df6441874c0e9b45118efccdf425d36da2c554fd58bdb9
Instruction ID: bac5c257a81756ba46d57fd5f47093f962abc43c1a62fb19206c4189af68ad81
Opcode Fuzzy Hash: 1746e4c7bee64475d1df6441874c0e9b45118efccdf425d36da2c554fd58bdb9
Instruction Fuzzy Hash: 68B16A71A50205BFEB14DFA8DC89FAEBBB9EB49710F104154F914EB290DB70AD50CBA0

Function 00284ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00284AED
GetDriveTypeW.KERNEL32(?,002ACB68,?,\\.\,002ACC08), ref: 00284BCA
SetErrorMode.KERNEL32(00000000,002ACB68,?,\\.\,002ACC08), ref: 00284D36

Strings

Network, xrefs: 00284C02
FileBackedVirtual, xrefs: 00284CEC
ATAPI, xrefs: 00284C91
Removable, xrefs: 00284C10, 00284C15
RAID, xrefs: 00284CBB
MMC, xrefs: 00284CDE
1394, xrefs: 00284C9F
Virtual, xrefs: 00284CE5
iSCSI, xrefs: 00284CC2
Fixed, xrefs: 00284C09
SATA, xrefs: 00284CD0
ATA, xrefs: 00284C98
SSD, xrefs: 00284C4A
SSA, xrefs: 00284CA6
PhysicalDrive, xrefs: 00284B76
\\.\, xrefs: 00284B3F
CDROM, xrefs: 00284BFB
SCSI, xrefs: 00284C8A
Unknown, xrefs: 00284BED, 00284C83
RAMDisk, xrefs: 00284BF4
USB, xrefs: 00284CB4
SAS, xrefs: 00284CC9
Fibre, xrefs: 00284CAD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a61a3b8a5fea78303084c494cecc91afccdf8fa700e424f51ca61931327fbf85
Instruction ID: 49e435113685efd30c1c0a7dc7ca860ffb7ed2a165ac8215e79f9134c2f56d35
Opcode Fuzzy Hash: a61a3b8a5fea78303084c494cecc91afccdf8fa700e424f51ca61931327fbf85
Instruction Fuzzy Hash: FF61A1386361079BCB04FF24DA859ACB7B5AB15304B248117F806ABBD1DBB1EDB1DB41

Function 002A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002A7421
SetTextColor.GDI32(?,?), ref: 002A7425
GetSysColorBrush.USER32(0000000F), ref: 002A743B
GetSysColor.USER32(0000000F), ref: 002A7446
CreateSolidBrush.GDI32(?), ref: 002A744B
GetSysColor.USER32(00000011), ref: 002A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7471
SelectObject.GDI32(?,00000000), ref: 002A7482
SetBkColor.GDI32(?,00000000), ref: 002A748B
SelectObject.GDI32(?,?), ref: 002A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 002A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 002A7572
DrawFocusRect.USER32(?,?), ref: 002A757D
GetSysColor.USER32(00000011), ref: 002A758E
SetTextColor.GDI32(?,00000000), ref: 002A7596
DrawTextW.USER32(?,002A70F5,000000FF,?,00000000), ref: 002A75A8
SelectObject.GDI32(?,?), ref: 002A75BF
DeleteObject.GDI32(?), ref: 002A75CA
SelectObject.GDI32(?,?), ref: 002A75D0
DeleteObject.GDI32(?), ref: 002A75D5
SetTextColor.GDI32(?,?), ref: 002A75DB
SetBkColor.GDI32(?,?), ref: 002A75E5

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 21e0faa8e2c3fde23bd5038f7f461a7eaced511f7f0c102131a1354545e0e530
Instruction ID: 4547e5e30b8ccc175d67d895a2ef86e65e84d1ede62dcf469c232b3a286886ae
Opcode Fuzzy Hash: 21e0faa8e2c3fde23bd5038f7f461a7eaced511f7f0c102131a1354545e0e530
Instruction Fuzzy Hash: 83614272D04219AFDF019FA4EC49A9EBFB9EB0A320F214125F915B72A1DB749950CF90

Function 002A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A1128
GetDesktopWindow.USER32 ref: 002A113D
GetWindowRect.USER32(00000000), ref: 002A1144
GetWindowLongW.USER32(?,000000F0), ref: 002A1199
DestroyWindow.USER32(?), ref: 002A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 002A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002A1245
IsWindowVisible.USER32(00000000), ref: 002A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002A12D0
GetWindowRect.USER32(00000000,?), ref: 002A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 002A130E
GetMonitorInfoW.USER32(00000000,?), ref: 002A1328
CopyRect.USER32(?,?), ref: 002A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002A13AA

Strings

(, xrefs: 002A131B
0, xrefs: 002A10D3
tooltips_class32, xrefs: 002A11E6

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d71d3bcf6a6d98c22667619322165dbccd4272a0ab38a4bd3ba76b57063c6a5c
Instruction ID: a5b3749c3048d22f293a331b5fde06eafa0273e7127b9c7ca269d3c62526d051
Opcode Fuzzy Hash: d71d3bcf6a6d98c22667619322165dbccd4272a0ab38a4bd3ba76b57063c6a5c
Instruction Fuzzy Hash: FCB1AF71618341AFDB04DF64C888BAABBE5FF85750F00891CF9999B261CB71E864CF91

Function 002A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A02E5
_wcslen.LIBCMT ref: 002A031F
_wcslen.LIBCMT ref: 002A0389
_wcslen.LIBCMT ref: 002A03F1
_wcslen.LIBCMT ref: 002A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A0504

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

Part of subcall function 0027223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00272258
Part of subcall function 0027223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0027228A

Strings

VIEWCHANGE, xrefs: 002A0675
SELECT, xrefs: 002A0548
GETTEXT, xrefs: 002A03EC, 002A0407
SELECTINVERT, xrefs: 002A057E
GETSUBITEMCOUNT, xrefs: 002A0384, 002A039F
GETSELECTEDCOUNT, xrefs: 002A0470, 002A048B
FINDITEM, xrefs: 002A0627
SELECTALL, xrefs: 002A0515
GETSELECTED, xrefs: 002A05E1
SELECTCLEAR, xrefs: 002A052D
GETITEMCOUNT, xrefs: 002A0316, 002A0337
ISSELECTED, xrefs: 002A04DD
DESELECT, xrefs: 002A059C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 322a3fd4288b5f0fd240a11cbb61583ffe22f62c55a29d6b2a26bc1f1daa3667
Instruction ID: ca5b32b6a99fb70def952423899f6139bb406fe14872a2d4578785c86eb9533a
Opcode Fuzzy Hash: 322a3fd4288b5f0fd240a11cbb61583ffe22f62c55a29d6b2a26bc1f1daa3667
Instruction Fuzzy Hash: BDE1DF312383019FCB14DF24C59092AB3E6BF9A714F50496DF8969B3A1DB30EDA5CB81

Function 00228891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00228968
GetSystemMetrics.USER32(00000007), ref: 00228970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0022899B
GetSystemMetrics.USER32(00000008), ref: 002289A3
GetSystemMetrics.USER32(00000004), ref: 002289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00228A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00228A3C
GetClientRect.USER32(00000000,000000FF), ref: 00228A5A
GetStockObject.GDI32(00000011), ref: 00228A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00228A81

Part of subcall function 0022912D: GetCursorPos.USER32(?), ref: 00229141
Part of subcall function 0022912D: ScreenToClient.USER32(00000000,?), ref: 0022915E
Part of subcall function 0022912D: GetAsyncKeyState.USER32(00000001), ref: 00229183
Part of subcall function 0022912D: GetAsyncKeyState.USER32(00000002), ref: 0022919D

SetTimer.USER32(00000000,00000000,00000028,002290FC), ref: 00228AA8

Strings

AutoIt v3 GUI, xrefs: 00228A20

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 712ec187008586f5f4daaece0424c9f731665e5d712c37747bebbea0a7d50e61
Instruction ID: 7a7fcc0a8ed1031864a860ca4395e50d2558664b5b604c60393202687e13f7b3
Opcode Fuzzy Hash: 712ec187008586f5f4daaece0424c9f731665e5d712c37747bebbea0a7d50e61
Instruction Fuzzy Hash: 00B19431A1021AAFDF14DFA8ED49BAE7BB5FB49314F104129FA15A7290DB70E860CF51

Function 00270D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
Part of subcall function 002710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
Part of subcall function 002710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
Part of subcall function 002710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
Part of subcall function 002710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00270DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00270E29
GetLengthSid.ADVAPI32(?), ref: 00270E40
GetAce.ADVAPI32(?,00000000,?), ref: 00270E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00270E96
GetLengthSid.ADVAPI32(?), ref: 00270EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00270EB5
HeapAlloc.KERNEL32(00000000), ref: 00270EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00270EDD
CopySid.ADVAPI32(00000000), ref: 00270EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00270F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00270F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00270F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F6E
HeapFree.KERNEL32(00000000), ref: 00270F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F7E
HeapFree.KERNEL32(00000000), ref: 00270F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00270F8E
HeapFree.KERNEL32(00000000), ref: 00270F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00270FA1
HeapFree.KERNEL32(00000000), ref: 00270FA8

Part of subcall function 00271193: GetProcessHeap.KERNEL32(00000008,00270BB1,?,00000000,?,00270BB1,?), ref: 002711A1
Part of subcall function 00271193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00270BB1,?), ref: 002711A8
Part of subcall function 00271193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00270BB1,?), ref: 002711B7

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e61ee62df7f33dd50d98223172a4eb210eb6d96617847ba3ffc2b680a38765bd
Instruction ID: 1d795297315acf2962ef11c496b97356100dee1137cd7a5ff72595dca4a504c8
Opcode Fuzzy Hash: e61ee62df7f33dd50d98223172a4eb210eb6d96617847ba3ffc2b680a38765bd
Instruction Fuzzy Hash: 9C716E7191021AEBDF20DFA4EC88FAEBBB8BF05300F148125F919E6191DB719919CB61

Function 0029C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,002ACC08,00000000,?,00000000,?,?), ref: 0029C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0029C5A4
_wcslen.LIBCMT ref: 0029C5F4
_wcslen.LIBCMT ref: 0029C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0029C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0029C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0029C84D
RegCloseKey.ADVAPI32(?), ref: 0029C881
RegCloseKey.ADVAPI32(00000000), ref: 0029C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0029C960

Strings

REG_SZ, xrefs: 0029C644
REG_DWORD, xrefs: 0029C804
REG_MULTI_SZ, xrefs: 0029C6F5
REG_EXPAND_SZ, xrefs: 0029C5CD
REG_QWORD, xrefs: 0029C8C3
REG_BINARY, xrefs: 0029C913

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9b95b58bc026d8a46878e4f5e0c064442e9f4461ba79d48d41324e4a4f6ec773
Instruction ID: bc53d1bece745d437f9c3d87394c5ef348b64b13f724bc2a3bf3c68f2c06f937
Opcode Fuzzy Hash: 9b95b58bc026d8a46878e4f5e0c064442e9f4461ba79d48d41324e4a4f6ec773
Instruction Fuzzy Hash: 5D126975624201AFDB14DF14C891A6AB7E5FF88714F24889DF84A9B3A2DB31EC51CF81

Function 002A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A09C6
_wcslen.LIBCMT ref: 002A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A0A54
_wcslen.LIBCMT ref: 002A0A8A
_wcslen.LIBCMT ref: 002A0B06
_wcslen.LIBCMT ref: 002A0B81

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

Part of subcall function 00272BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00272BFA

Strings

GETITEMCOUNT, xrefs: 002A0C1E
COLLAPSE, xrefs: 002A0B01, 002A0B1C
ISCHECKED, xrefs: 002A0CE1
SELECT, xrefs: 002A0D11
GETTEXT, xrefs: 002A0C97
GETTOTALCOUNT, xrefs: 002A09F2, 002A0A17
CHECK, xrefs: 002A0A85, 002A0AA0
EXISTS, xrefs: 002A0B7C, 002A0B97
UNCHECK, xrefs: 002A0D3E
EXPAND, xrefs: 002A0BF8
GETSELECTED, xrefs: 002A0C4E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 046a0039f77dad810612c624190e9aeed3daae4b4d85a2e6f8c9e4a5a7a65ca1
Instruction ID: bad0adc9d1ca42052266afc48aeb5a5765d4cd994a8cec6cf376a9944d7bae5a
Opcode Fuzzy Hash: 046a0039f77dad810612c624190e9aeed3daae4b4d85a2e6f8c9e4a5a7a65ca1
Instruction Fuzzy Hash: E9E1BE312287029FC714DF24C49096AB7E2FF99318F50895DF8969B362DB30ED65CB81

Function 0029C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
_wcslen.LIBCMT ref: 0029C9F1
_wcslen.LIBCMT ref: 0029CA68
_wcslen.LIBCMT ref: 0029CA9E
_wcslen.LIBCMT ref: 0029CAF9
_wcslen.LIBCMT ref: 0029CB2F
_wcslen.LIBCMT ref: 0029CB7F

Strings

HKCC, xrefs: 0029CBAC
HKLM, xrefs: 0029CA98, 0029CA9D
HKEY_CURRENT_CONFIG, xrefs: 0029CB79, 0029CB7E
HKEY_LOCAL_MACHINE, xrefs: 0029CA62, 0029CA67
HKEY_CLASSES_ROOT, xrefs: 0029CAF3, 0029CAF8
HKCR, xrefs: 0029CB29, 0029CB2E
HKCU, xrefs: 0029CBCE
HKEY_CURRENT_USER, xrefs: 0029CBBD
HKU, xrefs: 0029CBF0
HKEY_USERS, xrefs: 0029CBDF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ca2f198b571b90a29993baf9eee17895be6787ed350c4cdc14d8b42efcbda7fa
Instruction ID: d79311edaeef25bf258846a4e62d8c34360a987ea3fe6922b8630ac58cbf9a8e
Opcode Fuzzy Hash: ca2f198b571b90a29993baf9eee17895be6787ed350c4cdc14d8b42efcbda7fa
Instruction Fuzzy Hash: A871F13263016B8BCF20DE78CD516BE33A5AB61764B310529F8569B284EA34CDB087A0

Function 002A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A835A
_wcslen.LIBCMT ref: 002A836E
_wcslen.LIBCMT ref: 002A8391
_wcslen.LIBCMT ref: 002A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002A5BF2), ref: 002A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002A8501
FreeLibrary.KERNEL32(?), ref: 002A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002A851D
DestroyIcon.USER32(?,?,?,?,?,002A5BF2), ref: 002A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002A8555

Strings

.dll, xrefs: 002A83AB
.icl, xrefs: 002A8368
.exe, xrefs: 002A8388

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ccc58cbbd4a7c0ee9c3a70181e651254ef74c5bbd1a978f56eeb0da2178355b3
Instruction ID: 08a0999c315db1da34758f70c8079a1b1e0c529c64eefaa7673a2a1a77a94d77
Opcode Fuzzy Hash: ccc58cbbd4a7c0ee9c3a70181e651254ef74c5bbd1a978f56eeb0da2178355b3
Instruction Fuzzy Hash: CB61F171920206BFEB14DF64DC45BBE77A8BB09720F20454AF815D60D0EF74A9A0CBA0

Function 00217778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00255153
', xrefs: 00255169
#pragma compile, xrefs: 002177D3
#comments-end, xrefs: 002178D9
#requireadmin, xrefs: 002177FF
Unterminated group of comments, xrefs: 0025528C
Bad directive syntax error, xrefs: 0025519A
#include-once, xrefs: 0021782F
#cs, xrefs: 00217873, 002178C5
Cannot parse #include, xrefs: 00255279
#notrayicon, xrefs: 002177E7
#ce, xrefs: 002178ED
#comments-start, xrefs: 0021785F, 002178B1
#OnAutoItStartRegister, xrefs: 00217817
#include, xrefs: 00217847

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c7214fcfbbe39d6839e42a80290f5da6ec82cde396a5fc98afa9bbc003c1a71e
Instruction ID: 8bb385504df6c2d408d60d681070677c86e20679b17567812f58cf1bada41b7d
Opcode Fuzzy Hash: c7214fcfbbe39d6839e42a80290f5da6ec82cde396a5fc98afa9bbc003c1a71e
Instruction Fuzzy Hash: 1A811AB1634616BBDB20AF60DC52FEE77B8AF65300F044025FC05AA192EB70D9B5CB95

Function 00275A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00275A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00275A40
SetWindowTextW.USER32(?,?), ref: 00275A57
GetDlgItem.USER32(?,000003EA), ref: 00275A6C
SetWindowTextW.USER32(00000000,?), ref: 00275A72
GetDlgItem.USER32(?,000003E9), ref: 00275A82
SetWindowTextW.USER32(00000000,?), ref: 00275A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00275AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00275AC3
GetWindowRect.USER32(?,?), ref: 00275ACC
_wcslen.LIBCMT ref: 00275B33
SetWindowTextW.USER32(?,?), ref: 00275B6F
GetDesktopWindow.USER32 ref: 00275B75
GetWindowRect.USER32(00000000), ref: 00275B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00275BD3
GetClientRect.USER32(?,?), ref: 00275BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00275C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00275C2F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 15b4bea4e3e5913f85eea933395a0a7da4e558606bbebfb43e490d2f8020c540
Instruction ID: d41f7e699adcc81910b43ff26984e1b520080339488911793bf92755801f1025
Opcode Fuzzy Hash: 15b4bea4e3e5913f85eea933395a0a7da4e558606bbebfb43e490d2f8020c540
Instruction Fuzzy Hash: 2B718F31910B169FDB20DFA8CE89A6EFBF5FF48704F104918E146A25A4DBB4E954CB50

Function 002730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027318D
_wcslen.LIBCMT ref: 002731F8

Strings

REGEXPCLASS, xrefs: 00273255, 00273266
[-, xrefs: 0027339A
CLASSNN, xrefs: 002731F3, 00273204
INSTANCE, xrefs: 00273453
TEXT, xrefs: 0027347C
CLASS, xrefs: 00273188, 002731A5
NAME, xrefs: 00273335, 00273346

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[-
API String ID: 176396367-2782989067
Opcode ID: a8d03c097fa8f9dcacd1aaacb39fe9e46ef6c5d46d34acde549e0aba1448760d
Instruction ID: 0057a52ae77a3b08bd53fb1b0b938f817a95becdb1dcd3611180b804383d141b
Opcode Fuzzy Hash: a8d03c097fa8f9dcacd1aaacb39fe9e46ef6c5d46d34acde549e0aba1448760d
Instruction Fuzzy Hash: 7FE11832A20527ABCB18DF74C4517EEBBB4BF14710F54C11AE45AE7240DB70AEA5ABD0

Function 002300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002300C6

Part of subcall function 002300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002E070C,00000FA0,B29F0527,?,?,?,?,002523B3,000000FF), ref: 0023011C
Part of subcall function 002300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002523B3,000000FF), ref: 00230127
Part of subcall function 002300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002523B3,000000FF), ref: 00230138
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0023014E
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0023015C
Part of subcall function 002300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0023016A
Part of subcall function 002300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00230195
Part of subcall function 002300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002301A0

___scrt_fastfail.LIBCMT ref: 002300E7

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

Strings

WakeAllConditionVariable, xrefs: 00230162
InitializeConditionVariable, xrefs: 00230148
kernel32.dll, xrefs: 00230133
SleepConditionVariableCS, xrefs: 00230154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00230122

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fa0e87ac4a6c13fe6964c6287df77e391b5cefd33a6fadea6da58a9dd9963dce
Instruction ID: 650d5c7266ae241d57b9e084f0d562d3f387c9220813e87e9eba07d307de1cb3
Opcode Fuzzy Hash: fa0e87ac4a6c13fe6964c6287df77e391b5cefd33a6fadea6da58a9dd9963dce
Instruction Fuzzy Hash: 4F2129B2A60711AFD7216FE4BD9DB2A73A4DB07F51F100136F809A6291DFB49C108AB0

Function 002844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,002ACC08), ref: 00284527
_wcslen.LIBCMT ref: 0028453B
_wcslen.LIBCMT ref: 00284599
_wcslen.LIBCMT ref: 002845F4
_wcslen.LIBCMT ref: 0028463F
_wcslen.LIBCMT ref: 002846A7

Part of subcall function 0022F9F2: _wcslen.LIBCMT ref: 0022F9FD

GetDriveTypeW.KERNEL32(?,002D6BF0,00000061), ref: 00284743

Strings

fixed, xrefs: 00284635, 0028463A
removable, xrefs: 002845EA, 002845EF
all, xrefs: 00284531, 00284536
cdrom, xrefs: 0028458F, 00284594
unknown, xrefs: 00284708
ramdisk, xrefs: 002846F1
network, xrefs: 0028469D, 002846A2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 38a0523525d179e4d43406b31e58583d5652806f25065c2a5d50d90eb8e5ca29
Instruction ID: 397e21eace12467cf7cec3e3302f5e48e11789c1abc417bb34b584191b253efa
Opcode Fuzzy Hash: 38a0523525d179e4d43406b31e58583d5652806f25065c2a5d50d90eb8e5ca29
Instruction Fuzzy Hash: D7B1E2396293139BC710FF28C890A6EB7E5AFA5724F50491DF496C72D1E730E8A4CB52

Function 002A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

DragQueryPoint.SHELL32(?,?), ref: 002A9147

Part of subcall function 002A7674: ClientToScreen.USER32(?,?), ref: 002A769A
Part of subcall function 002A7674: GetWindowRect.USER32(?,?), ref: 002A7710
Part of subcall function 002A7674: PtInRect.USER32(?,?,002A8B89), ref: 002A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 002A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 002A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9277
DragFinish.SHELL32(?), ref: 002A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002A9371

Strings

@GUI_DRAGID, xrefs: 002A92E9
p#., xrefs: 002A92BB
@GUI_DROPID, xrefs: 002A929E
@GUI_DRAGFILE, xrefs: 002A9320

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#.
API String ID: 221274066-2896109970
Opcode ID: 5afe16ada1c67c4d2da95db5202d950a541a0656af9a0159232ba9451bd466f4
Instruction ID: 43e7a5fdc3afe843aa3625655be0f2be8a1f476594546150be3b29169ed35d74
Opcode Fuzzy Hash: 5afe16ada1c67c4d2da95db5202d950a541a0656af9a0159232ba9451bd466f4
Instruction Fuzzy Hash: 2561AD71118301AFC704DF50DC89DAFBBE8EF9A750F10092EF595921A1DB309AA9CF92

Function 0029AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029B1D4
_wcslen.LIBCMT ref: 0029B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029B236
_wcslen.LIBCMT ref: 0029B332

Part of subcall function 002805A7: GetStdHandle.KERNEL32(000000F6), ref: 002805C6

_wcslen.LIBCMT ref: 0029B34B
_wcslen.LIBCMT ref: 0029B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029B3B6
GetLastError.KERNEL32(00000000), ref: 0029B407
CloseHandle.KERNEL32(?), ref: 0029B439
CloseHandle.KERNEL32(00000000), ref: 0029B44A
CloseHandle.KERNEL32(00000000), ref: 0029B45C
CloseHandle.KERNEL32(00000000), ref: 0029B46E
CloseHandle.KERNEL32(?), ref: 0029B4E3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1c40d0184a359041bce6ca6ba0f7e27d46ad871e7124bf5c304a1c66d8d57d54
Instruction ID: 324effe7ccc403362b01b2e6b38f347f7ed58c57cc297531a4ce008427428db0
Opcode Fuzzy Hash: 1c40d0184a359041bce6ca6ba0f7e27d46ad871e7124bf5c304a1c66d8d57d54
Instruction Fuzzy Hash: 3EF1BE316243419FCB15EF24D991B6EBBE5AF85310F14845DF8898B2A2DB31EC64CF92

Function 0021326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002E1990), ref: 00252F8D
GetMenuItemCount.USER32(002E1990), ref: 0025303D
GetCursorPos.USER32(?), ref: 00253081
SetForegroundWindow.USER32(00000000), ref: 0025308A
TrackPopupMenuEx.USER32(002E1990,00000000,?,00000000,00000000,00000000), ref: 0025309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002530A9

Strings

0, xrefs: 0021327D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 82546cb22d0314a94c2ea2469dcb73a733bc73fc8c0120caee75546fb20f7be5
Instruction ID: 747551c488b771fbf0bed2cf8c2990110014b0351d9ebe2ef30ef0927cf037a1
Opcode Fuzzy Hash: 82546cb22d0314a94c2ea2469dcb73a733bc73fc8c0120caee75546fb20f7be5
Instruction Fuzzy Hash: 5171F670664206BFEB21DF24DC49F9ABFA5FF02364F204216F915661D0C7B1AD68CB54

Function 002A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 002A6DEB

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A6E94
DestroyWindow.USER32(?), ref: 002A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00210000,00000000), ref: 002A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A6EFD
GetDesktopWindow.USER32 ref: 002A6F16
GetWindowRect.USER32(00000000), ref: 002A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002A6F4D

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

Strings

0, xrefs: 002A6D98
tooltips_class32, xrefs: 002A6E58, 002A6EDD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 69f154183a6bbb63fd1ac22ae6ab45ba0f76b49be54f78814564d4b982303431
Instruction ID: 940f4628625e9d6c068c69b799d4ca50cfef78d90aa17f476df5d2c427c8cbfa
Opcode Fuzzy Hash: 69f154183a6bbb63fd1ac22ae6ab45ba0f76b49be54f78814564d4b982303431
Instruction Fuzzy Hash: 5E717A70154245AFDB25CF18EC48FAABBE9FB8A704F18041DF999C72A1CB70A965CB11

Function 0028C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0028C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0028C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0028C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028C5F0
InternetCloseHandle.WININET(00000000), ref: 0028C5FB

Strings

, xrefs: 0028C575

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6b930c949d92825ea1014823eb115156774a3fe86c6d1220cc4305bfff42fd79
Instruction ID: 1da63c4212332422591b74ff5d8e0d8ed97db875fa0324c9c5e34415ac61f9c5
Opcode Fuzzy Hash: 6b930c949d92825ea1014823eb115156774a3fe86c6d1220cc4305bfff42fd79
Instruction Fuzzy Hash: 4B518DB4111205BFDB21AF60DD48AAB7BFCFF09354F20441AF945A6690DB34E9549B70

Function 002A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 002A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,002AFC38,?), ref: 002A8611
GlobalFree.KERNEL32(00000000), ref: 002A8621
GetObjectW.GDI32(?,00000018,?), ref: 002A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 002A8671
DeleteObject.GDI32(?), ref: 002A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002A86AF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7b3ad6e432c2a4a18c19344ed5e24507156edafecc9868ffd2d8a05df8015821
Instruction ID: 26bcb3858562aaa66f9513b03acbf8916c2b3ebda65f9301a71187a12694e2ba
Opcode Fuzzy Hash: 7b3ad6e432c2a4a18c19344ed5e24507156edafecc9868ffd2d8a05df8015821
Instruction Fuzzy Hash: 0F41E675600209AFDB119FA5DC4CEAA7BBCEB8AB11F244059F909E7260DF709911CB60

Function 002814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00281502
VariantCopy.OLEAUT32(?,?), ref: 0028150B
VariantClear.OLEAUT32(?), ref: 00281517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00281657
VariantInit.OLEAUT32(?), ref: 00281708
SysFreeString.OLEAUT32(?), ref: 0028178C
VariantClear.OLEAUT32(?), ref: 002817D8
VariantClear.OLEAUT32(?), ref: 002817E7
VariantInit.OLEAUT32(00000000), ref: 00281823

Strings

Default, xrefs: 002816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00281625

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 14c8bb060ecbf69ebc2dd66aad1935079420d6243dc225cbfc4870578adfe930
Instruction ID: a16ab7a19080fab41a03e38465f35426b62feb623462d7b6335a588a275393f9
Opcode Fuzzy Hash: 14c8bb060ecbf69ebc2dd66aad1935079420d6243dc225cbfc4870578adfe930
Instruction Fuzzy Hash: CBD12336A21111EBDB10AF64E884B7DB7B9BF46700F64806AF446AB1C0DB74EC72DB51

Function 0029B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0029B80A
RegCloseKey.ADVAPI32(?), ref: 0029B87E
RegCloseKey.ADVAPI32(?), ref: 0029B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0029B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0029B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0029B922
FreeLibrary.KERNEL32(00000000), ref: 0029B983
RegCloseKey.ADVAPI32(00000000), ref: 0029B994

Strings

RegDeleteKeyExW, xrefs: 0029B8FE
advapi32.dll, xrefs: 0029B8ED

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 79a26237770e3b9a511611c69ad78d5ba99e02434bc5bafd9e005e2447d196c5
Instruction ID: 81d5ce16dd4192800b818cb28e4171a7e8df9904c530d323a4731867a97efea1
Opcode Fuzzy Hash: 79a26237770e3b9a511611c69ad78d5ba99e02434bc5bafd9e005e2447d196c5
Instruction Fuzzy Hash: 0DC1BF34224202AFDB11DF14D594F6ABBE5BF84308F14859CF59A4B2A2CB71EC95CF91

Function 0029255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002925E8
CreateCompatibleDC.GDI32(?), ref: 002925F4
SelectObject.GDI32(00000000,?), ref: 00292601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0029266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002926D0
SelectObject.GDI32(?,?), ref: 002926D8
DeleteObject.GDI32(?), ref: 002926E1
DeleteDC.GDI32(?), ref: 002926E8
ReleaseDC.USER32(00000000,?), ref: 002926F3

Strings

(, xrefs: 0029268D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0e815b1c7dcf7f5b32318574d834215a73f63313675c5dfdbb4b9d57f6d81684
Instruction ID: 449b65879a59eab2da307b64067864e3f6a40ba1aa2e941b402a44e22032466c
Opcode Fuzzy Hash: 0e815b1c7dcf7f5b32318574d834215a73f63313675c5dfdbb4b9d57f6d81684
Instruction Fuzzy Hash: B961D475E10219EFCF05CFA4D984AAEBBF9FF48310F208529E959A7250D770A951CF90

Function 0024DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0024DAA1

Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D659
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D66B
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D67D
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D68F
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6A1
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6B3
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6C5
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6D7
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6E9
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D6FB
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D70D
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D71F
Part of subcall function 0024D63C: _free.LIBCMT ref: 0024D731

_free.LIBCMT ref: 0024DA96

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024DAB8
_free.LIBCMT ref: 0024DACD
_free.LIBCMT ref: 0024DAD8
_free.LIBCMT ref: 0024DAFA
_free.LIBCMT ref: 0024DB0D
_free.LIBCMT ref: 0024DB1B
_free.LIBCMT ref: 0024DB26
_free.LIBCMT ref: 0024DB5E
_free.LIBCMT ref: 0024DB65
_free.LIBCMT ref: 0024DB82
_free.LIBCMT ref: 0024DB9A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d9de1ff8267fd3b8bea80b28fcd043b52bbb338540a3bcfd1e7b978908b51dec
Instruction ID: 6d68784ab88d4b7a246badc581bfab54a496cca115bcdfa7ecd42df7c51c78aa
Opcode Fuzzy Hash: d9de1ff8267fd3b8bea80b28fcd043b52bbb338540a3bcfd1e7b978908b51dec
Instruction Fuzzy Hash: D7315A31664206DFEB2AAE3AE845B5AB7E9FF00310F65541AF448D7291DE30AC64CB20

Function 0027365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027369C
_wcslen.LIBCMT ref: 002736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00273797
GetClassNameW.USER32(?,?,00000400), ref: 0027380C
GetDlgCtrlID.USER32(?), ref: 0027385D
GetWindowRect.USER32(?,?), ref: 00273882
GetParent.USER32(?), ref: 002738A0
ScreenToClient.USER32(00000000), ref: 002738A7
GetClassNameW.USER32(?,?,00000100), ref: 00273921
GetWindowTextW.USER32(?,?,00000400), ref: 0027395D

Strings

%s%u, xrefs: 00273734

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9c1ddf7b4fd22764f561b68804577d8e642c9925c636fc95728016f65e2fee74
Instruction ID: dcf691f487f3b65d653ebb0e39a3da2cdcf986de4ecc96a978d3ad1e753eca92
Opcode Fuzzy Hash: 9c1ddf7b4fd22764f561b68804577d8e642c9925c636fc95728016f65e2fee74
Instruction Fuzzy Hash: E591BC71224607EFD719DF24C885BAAF7A8FF44310F108629FA9DC2190DB30EA65DB91

Function 00274954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00274994
GetWindowTextW.USER32(?,?,00000400), ref: 002749DA
_wcslen.LIBCMT ref: 002749EB
CharUpperBuffW.USER32(?,00000000), ref: 002749F7
_wcsstr.LIBVCRUNTIME ref: 00274A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00274A64
GetWindowTextW.USER32(?,?,00000400), ref: 00274A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00274AE6
GetClassNameW.USER32(?,?,00000400), ref: 00274B20
GetWindowRect.USER32(?,?), ref: 00274B8B

Strings

ThumbnailClass, xrefs: 00274A6F, 00274AF1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a0f271917c07a1e5c8e93f69cb946fc1d6b47d42bac683d4c86e31cf3b4c2413
Instruction ID: 11e0d711786fda7d9663648fd65e6b31e6a5b9da6773350422ef88b39255ddd6
Opcode Fuzzy Hash: a0f271917c07a1e5c8e93f69cb946fc1d6b47d42bac683d4c86e31cf3b4c2413
Instruction Fuzzy Hash: 2691D1714242069FDB05EF14C885FAAB7E8FF84714F04C46AFD899A096DB30ED65CBA1

Function 002A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002A8D5A
GetFocus.USER32 ref: 002A8D6A
GetDlgCtrlID.USER32(00000000), ref: 002A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 002A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002A8ECF
GetMenuItemCount.USER32(?), ref: 002A8EEC
GetMenuItemID.USER32(?,00000000), ref: 002A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002A8FA1

Strings

0, xrefs: 002A8E9F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 1a9054e887d41864b782bdd1eaf043e47d6ce882705e16de94fad4ee19f9f532
Instruction ID: 1cd57224e16c31c6acdca1b7961ff8c17b89add1800989e6b3bb20c83b3bff07
Opcode Fuzzy Hash: 1a9054e887d41864b782bdd1eaf043e47d6ce882705e16de94fad4ee19f9f532
Instruction Fuzzy Hash: 7B8192715143029FDB10CF24D984A6BBBE9FB8A754F140929F985D7291DF70D920CF62

Function 0027DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0027DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0027DC46
_wcslen.LIBCMT ref: 0027DC50
_wcsstr.LIBVCRUNTIME ref: 0027DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0027DCBC

Strings

04090000, xrefs: 0027DCF2
DefaultLangCodepage, xrefs: 0027DD1F
%u.%u.%u.%u, xrefs: 0027DD9A
\VarFileInfo\Translation, xrefs: 0027DCB4
StringFileInfo\, xrefs: 0027DC8F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 167de4f042bcfe6f0b823f5d21c300ccea01cbcfd4b7edb3b743389fede1e268
Instruction ID: 4b6a3fe3834309e5b1d0c17951bdc865198c2b7f865eeccc1cb4c23e03f5814d
Opcode Fuzzy Hash: 167de4f042bcfe6f0b823f5d21c300ccea01cbcfd4b7edb3b743389fede1e268
Instruction Fuzzy Hash: 044121729602117BDB15AB70AC47EBF77BCEF47710F20406AF904A6182EB7199209BA4

Function 0029CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0029CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0029CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029CD48

Part of subcall function 0029CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0029CCAA
Part of subcall function 0029CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0029CCBD
Part of subcall function 0029CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0029CCCF
Part of subcall function 0029CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029CD05
Part of subcall function 0029CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0029CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0029CCF3

Strings

RegDeleteKeyExW, xrefs: 0029CCC9
advapi32.dll, xrefs: 0029CCB8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4fd555ce7e9eafbf2c7a93478ab2ec87e7411b5c2ba5163fb8c9dfe4fab4f84c
Instruction ID: 3c0574f1cf9cded1bfff12894f067eff21a9d7df2a5251338d29bd26e93ae871
Opcode Fuzzy Hash: 4fd555ce7e9eafbf2c7a93478ab2ec87e7411b5c2ba5163fb8c9dfe4fab4f84c
Instruction Fuzzy Hash: 32316E71A11129BBDB208F54DC8CEFFBB7CEF46750F200165E909E2240DA749E45AAB0

Function 0027E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0027E6B4

Part of subcall function 0022E551: timeGetTime.WINMM(?,?,0027E6D4), ref: 0022E555

Sleep.KERNEL32(0000000A), ref: 0027E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0027E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0027E727
SetActiveWindow.USER32 ref: 0027E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0027E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0027E773
Sleep.KERNEL32(000000FA), ref: 0027E77E
IsWindow.USER32 ref: 0027E78A
EndDialog.USER32(00000000), ref: 0027E79B

Strings

BUTTON, xrefs: 0027E719

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 86540c119219bb212740a0133a43f280bac35be7b5a1361cead5caac465b5e20
Instruction ID: c0c52ca9ee503e2595f80a1d37c42a06ae513f437e6904e12cb03eacc4618e40
Opcode Fuzzy Hash: 86540c119219bb212740a0133a43f280bac35be7b5a1361cead5caac465b5e20
Instruction Fuzzy Hash: 7021D1B0660245EFEF009F24FCCDA257B6DF75A748B218465F90E861A1DFB1AC248A34

Function 0027E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0027EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0027EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0027EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0027EAA7

Strings

play PlayMe, xrefs: 0027EAA2
play PlayMe wait, xrefs: 0027EA91
open , xrefs: 0027EA0C
status PlayMe mode, xrefs: 0027EA58
alias PlayMe, xrefs: 0027EA36
close PlayMe, xrefs: 0027EA6E, 0027EA9B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9f1b5a7f1f03d02dd4c1535d4263f585cc00eff70e780e532a6206c5da007f28
Instruction ID: d6e16fbec0d9599083504087e5772762916dfb6f6746c9982dc9d538bc17d2ac
Opcode Fuzzy Hash: 9f1b5a7f1f03d02dd4c1535d4263f585cc00eff70e780e532a6206c5da007f28
Instruction Fuzzy Hash: D311773167025979DB20E7A5DC5EDFF6BBCEBD6B00F000466B415A21D1DE701DA5C9B0

Function 00228BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00228F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00228BE8,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 00228FC5

DestroyWindow.USER32(?), ref: 00228C81
KillTimer.USER32(00000000,?,?,?,?,00228BBA,00000000,?), ref: 00228D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00266973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 002669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000,?), ref: 002669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00228BBA,00000000), ref: 002669D4
DeleteObject.GDI32(00000000), ref: 002669E6

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fe01b9f0cadbeed4ce92558e606e1c23a4133798bcf6c5dcb7a376a3875b7e95
Instruction ID: 90eda7af4b3af96fe22a91ad7a20867d7a2bddae8b0170e20e695a7c9281ff81
Opcode Fuzzy Hash: fe01b9f0cadbeed4ce92558e606e1c23a4133798bcf6c5dcb7a376a3875b7e95
Instruction Fuzzy Hash: 1B617F31522661EFDB299F54FA4CB29B7F1FB41312F144529E0429A560CB75EDB0CFA0

Function 00229838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00229944: GetWindowLongW.USER32(?,000000EB), ref: 00229952

GetSysColor.USER32(0000000F), ref: 00229862

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a23268133f27a1e2e0aac2ab4c1245cea4d073043dea143514aaac04e57d9909
Instruction ID: 1a7961e444507467cbd76f4cc6b4558949f14fdeba1eb1152a4e7f53fb727a5e
Opcode Fuzzy Hash: a23268133f27a1e2e0aac2ab4c1245cea4d073043dea143514aaac04e57d9909
Instruction Fuzzy Hash: 0E41F531510650AFDB205F78BC88BB93BA5EB17330F284655F9A6872E1CB319CE2DB11

Function 002796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0025F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00279717
LoadStringW.USER32(00000000,?,0025F7F8,00000001), ref: 00279720

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0025F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00279742
LoadStringW.USER32(00000000,?,0025F7F8,00000001), ref: 00279745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00279866

Strings

Line %d (File "%s"):, xrefs: 0027978F
%s (%d) : ==> %s: %s %s, xrefs: 0027984A
Error: , xrefs: 0027981D
Line %d:, xrefs: 002797A0
^ ERROR, xrefs: 002797FB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b1c7121dfdf05ee2676e488967ddb3e352790bde71a99b8f0dead7351cb263be
Instruction ID: 57985ab4af3e3b21ffe2f0b915dc736f6de9357e06415407fa6934a1bd768651
Opcode Fuzzy Hash: b1c7121dfdf05ee2676e488967ddb3e352790bde71a99b8f0dead7351cb263be
Instruction Fuzzy Hash: 4C414172810219ABDB14EBE0DD56DEEB3B9AF25340F104065F60572092EB756FE8CFA1

Function 002706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00270804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0027082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00270837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027083C

Strings

\IPC$, xrefs: 00270784
\CLSID, xrefs: 00270724
SOFTWARE\Classes\, xrefs: 0027070E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6e5ed620a0281cbc3f83e64e8de277c39e75c18433626e7f70a89e2ee4ab9a94
Instruction ID: a9fc7106480c6c2ebc5a79808b1163c4ad569c989b49c44e45f7b1ff1245cb73
Opcode Fuzzy Hash: 6e5ed620a0281cbc3f83e64e8de277c39e75c18433626e7f70a89e2ee4ab9a94
Instruction Fuzzy Hash: 18411A71C20229EBDF15EF94DC958EDB7B8BF14350B144166E905A3160EB705E98CF90

Function 00293C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00293C5C
CoInitialize.OLE32(00000000), ref: 00293C8A
CoUninitialize.OLE32 ref: 00293C94
_wcslen.LIBCMT ref: 00293D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00293DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00293ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00293F0E
CoGetObject.OLE32(?,00000000,002AFB98,?), ref: 00293F2D
SetErrorMode.KERNEL32(00000000), ref: 00293F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00293FC4
VariantClear.OLEAUT32(?), ref: 00293FD8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8f853f149f39c30e6794b663718e6451ca66eb83d108b2b1eb43731a2cd66e3c
Instruction ID: 4c016e61816ebbb5dba9fb098bdc323b3094cc531b0fbef9101112f540b700bb
Opcode Fuzzy Hash: 8f853f149f39c30e6794b663718e6451ca66eb83d108b2b1eb43731a2cd66e3c
Instruction Fuzzy Hash: FEC13671628205AFDB00DF68C88496BB7E9FF89744F10491DF98A9B250DB30EE55CB62

Function 00287A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00287AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00287B8F
SHGetDesktopFolder.SHELL32(?), ref: 00287BA3
CoCreateInstance.OLE32(002AFD08,00000000,00000001,002D6E6C,?), ref: 00287BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00287C74
CoTaskMemFree.OLE32(?,?), ref: 00287CCC
SHBrowseForFolderW.SHELL32(?), ref: 00287D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00287D7A
CoTaskMemFree.OLE32(00000000), ref: 00287D81
CoTaskMemFree.OLE32(00000000), ref: 00287DD6
CoUninitialize.OLE32 ref: 00287DDC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0393040725ca39f363bb412e9089750572e15969fb3d312d29155c8504c1c11b
Instruction ID: 5e9ddbf58a94dba02d6af5d08f96de95522a3048cf06fb592c2fe391f76a77d8
Opcode Fuzzy Hash: 0393040725ca39f363bb412e9089750572e15969fb3d312d29155c8504c1c11b
Instruction Fuzzy Hash: 7DC12C75A15105AFDB14DFA4C888DAEBBF9FF48304B248499E8199B361DB30ED91CF90

Function 002A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A5515
CharNextW.USER32(00000158), ref: 002A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A55AC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: cb1194069ff1ce5677b8786dd5fcaffa54bc7907f063ee026bf3f7427ca50ecb
Instruction ID: 1459b404b88d5c3c8dd8c0561917ff488526bb09532fa88e943a80ba97357adf
Opcode Fuzzy Hash: cb1194069ff1ce5677b8786dd5fcaffa54bc7907f063ee026bf3f7427ca50ecb
Instruction Fuzzy Hash: 8F616D3192462AEBDF10DF54DC849FF7BB9FB0B720F104145F525AA290DB748AA0DBA0

Function 0026FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0026FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0026FB08
VariantInit.OLEAUT32(?), ref: 0026FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0026FB3A
VariantCopy.OLEAUT32(?,?), ref: 0026FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0026FBA1
VariantClear.OLEAUT32(?), ref: 0026FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0026FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0026FBCC
VariantClear.OLEAUT32(?), ref: 0026FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0026FBE9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0ca4e611059af8d381ffc4df092b227853ac9defa1784dfeec597f0c894eb253
Instruction ID: f6176c058c672953a182f85e9c5686fb3014296e8d137dcb91e2efd6982bd912
Opcode Fuzzy Hash: 0ca4e611059af8d381ffc4df092b227853ac9defa1784dfeec597f0c894eb253
Instruction Fuzzy Hash: C8415135A10219DFCF00DFA4E9589ADBBB9FF09344F108069E945A7261DB30A995CF90

Function 00279C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00279CA1
GetAsyncKeyState.USER32(000000A0), ref: 00279D22
GetKeyState.USER32(000000A0), ref: 00279D3D
GetAsyncKeyState.USER32(000000A1), ref: 00279D57
GetKeyState.USER32(000000A1), ref: 00279D6C
GetAsyncKeyState.USER32(00000011), ref: 00279D84
GetKeyState.USER32(00000011), ref: 00279D96
GetAsyncKeyState.USER32(00000012), ref: 00279DAE
GetKeyState.USER32(00000012), ref: 00279DC0
GetAsyncKeyState.USER32(0000005B), ref: 00279DD8
GetKeyState.USER32(0000005B), ref: 00279DEA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fb0af0b3a145d51a4407e21b5a65b210b2dfe5dbf1277e4575afc9df2a3e3852
Instruction ID: da89b59996201b5d5eb237d5b9fa4a7dd4af823bd6723b97157e85be1524e0d6
Opcode Fuzzy Hash: fb0af0b3a145d51a4407e21b5a65b210b2dfe5dbf1277e4575afc9df2a3e3852
Instruction Fuzzy Hash: 5D41E8305147CB6AFF319F6484043B5BEA0AB17304F48C05FDACA565C2EBB499E4C792

Function 0029055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002905BC
inet_addr.WSOCK32(?), ref: 0029061C
gethostbyname.WSOCK32(?), ref: 00290628
IcmpCreateFile.IPHLPAPI ref: 00290636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002907B9
WSACleanup.WSOCK32 ref: 002907BF

Strings

Ping, xrefs: 00290676

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: aaf65988e1104c6b07293c7dc65e3e2cee6a437a98ef817fe0998817fc077bf7
Instruction ID: c6536c9da98d8ccc89ed3e472faf70285106499003cccc57501644e57b1f05b6
Opcode Fuzzy Hash: aaf65988e1104c6b07293c7dc65e3e2cee6a437a98ef817fe0998817fc077bf7
Instruction Fuzzy Hash: 7B919E35614202AFDB20CF55D4C8F5ABBE4BF44328F1585A9E4698B6A2C770EC91CF91

Function 00298CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00298CF3

Part of subcall function 00278E54: _wcslen.LIBCMT ref: 00278E77

_wcslen.LIBCMT ref: 00298D4E
_wcslen.LIBCMT ref: 00298D9C
_wcslen.LIBCMT ref: 00298DDC
_wcslen.LIBCMT ref: 00298E6E

Strings

none, xrefs: 00298E65, 00298E6A
winapi, xrefs: 00298D96, 00298D9B
stdcall, xrefs: 00298DD6, 00298DDB
cdecl, xrefs: 00298D48, 00298D4D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 722097796cbcd356d7932a81e7365501c4a0b47ae5a592cc909d343c4b3e2db2
Instruction ID: 037b911ad17cb9d9222c1475ed8b5f26a07ee5ee7c6b0538cc1b382d152f2a07
Opcode Fuzzy Hash: 722097796cbcd356d7932a81e7365501c4a0b47ae5a592cc909d343c4b3e2db2
Instruction Fuzzy Hash: 7D51B031A201179BCF14DF68C8509BEB3A5BF66720B294229F466E72C4EB31DD60CBD0

Function 0029372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00293774
CoUninitialize.OLE32 ref: 0029377F
CoCreateInstance.OLE32(?,00000000,00000017,002AFB78,?), ref: 002937D9
IIDFromString.OLE32(?,?), ref: 0029384C
VariantInit.OLEAUT32(?), ref: 002938E4
VariantClear.OLEAUT32(?), ref: 00293936

Strings

Invalid parameter, xrefs: 00293865
Failed to create object, xrefs: 002937E4, 0029389A
NULL Pointer assignment, xrefs: 0029381E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: eb7ed0f021da24d32f36fca47a0e63a011a1d158598ff72b445f69001cfcd63c
Instruction ID: d717d66a841554e87756c1a7869688efcd0f4402df6de1156c26f5a196b27368
Opcode Fuzzy Hash: eb7ed0f021da24d32f36fca47a0e63a011a1d158598ff72b445f69001cfcd63c
Instruction Fuzzy Hash: 8461AF70628301AFD711DF54D888BAABBE8FF49714F104819F9859B291D770EE58CB92

Function 002A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

Part of subcall function 0022912D: GetCursorPos.USER32(?), ref: 00229141
Part of subcall function 0022912D: ScreenToClient.USER32(00000000,?), ref: 0022915E
Part of subcall function 0022912D: GetAsyncKeyState.USER32(00000001), ref: 00229183
Part of subcall function 0022912D: GetAsyncKeyState.USER32(00000002), ref: 0022919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 002A8B6B
ImageList_EndDrag.COMCTL32 ref: 002A8B71
ReleaseCapture.USER32 ref: 002A8B77
SetWindowTextW.USER32(?,00000000), ref: 002A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 002A8CFF

Strings

@GUI_DROPID, xrefs: 002A8C51
p#., xrefs: 002A8C71
@GUI_DRAGFILE, xrefs: 002A8C9A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#.
API String ID: 1924731296-2689671650
Opcode ID: 0b15662852942fb446a6d90f5ded169d518c741e0bad3f2f76ad55fe484a5e47
Instruction ID: 899198900a54dcbeedb9b95ae23a067bf29cc2c76dfe69138db9cd04767e333d
Opcode Fuzzy Hash: 0b15662852942fb446a6d90f5ded169d518c741e0bad3f2f76ad55fe484a5e47
Instruction Fuzzy Hash: 3251AC71114340AFD704DF10EC99FAA77E5FB89710F40062AF996672A2CB709964CF62

Function 00283388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002833CF

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002833F0

Strings

Line %d (File "%s"):, xrefs: 00283443, 0028345C
Incorrect parameters to object property !, xrefs: 002834AB
Error: , xrefs: 002834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00283504
"%s" (%d) : ==> %s:, xrefs: 00283522
^ ERROR , xrefs: 0028349E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2aec1c1223db2d3bd1879f87d8d2d9dfdba8f08012debb6a90e656e419fa44db
Instruction ID: 7a02e557a159019539d17d5e009abb0abdb79197739e1d24d2116955073dfdcd
Opcode Fuzzy Hash: 2aec1c1223db2d3bd1879f87d8d2d9dfdba8f08012debb6a90e656e419fa44db
Instruction Fuzzy Hash: 49518F71920209AADF14EBA0DD46EEEB3B9AF19740F104066F50572192EB352FF8DF60

Function 0027B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0027B5FC
_wcslen.LIBCMT ref: 0027B608
_wcslen.LIBCMT ref: 0027B64D
_wcslen.LIBCMT ref: 0027B68C
_wcslen.LIBCMT ref: 0027B6C7

Strings

KEYS, xrefs: 0027B647, 0027B64C
APPEND, xrefs: 0027B6C1, 0027B6C6
EXISTS, xrefs: 0027B686, 0027B68B
REMOVE, xrefs: 0027B602, 0027B607

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7575b85b4969c2e14e6ce92ae128cea8eacab0111fd8dae11d4108fdf1b47140
Instruction ID: 5f233d3c2ea88e929d337c17eda6a6e11e4d5aaa1d3c3f12468195d37af15a30
Opcode Fuzzy Hash: 7575b85b4969c2e14e6ce92ae128cea8eacab0111fd8dae11d4108fdf1b47140
Instruction Fuzzy Hash: 3E41EC32A200279BCB116F7DC8907BEB7A9FF61754B248129E629D7284E735CDA1C790

Function 00285393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00285416
GetLastError.KERNEL32 ref: 00285420
SetErrorMode.KERNEL32(00000000,READY), ref: 002854A7

Strings

READONLY, xrefs: 00285452
NOTREADY, xrefs: 0028544B
READY, xrefs: 00285460, 00285468
INVALID, xrefs: 00285459
UNKNOWN, xrefs: 00285444

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 404d70c2d470ccb1ceac9fc28e764da4368c8612beaf6e01b9a8fe9ab5cdfe2b
Instruction ID: 2f42cba97a43a57ca04bc58c18194c10c7a81600b961a50d92069030cc746e98
Opcode Fuzzy Hash: 404d70c2d470ccb1ceac9fc28e764da4368c8612beaf6e01b9a8fe9ab5cdfe2b
Instruction Fuzzy Hash: 0F31C339A216159FD710EF68C488AAABBF4FF45305F148066E405CB3D2DB71DDA6CB90

Function 002A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 002A3C79
SetMenu.USER32(?,00000000), ref: 002A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A3D10
IsMenu.USER32(?), ref: 002A3D24
CreatePopupMenu.USER32 ref: 002A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A3D5B
DrawMenuBar.USER32 ref: 002A3D63

Strings

0, xrefs: 002A3C54
F, xrefs: 002A3D4E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8c070940d22924112313d03428c8c351281b4f5998f51497e21367c3b78fb301
Instruction ID: 2943d90309d5d2fd83a27408bf37d54ea23e0edf77479103f2ef55a0a229c70e
Opcode Fuzzy Hash: 8c070940d22924112313d03428c8c351281b4f5998f51497e21367c3b78fb301
Instruction Fuzzy Hash: 09415E75A1160AEFDB14CF64E888ADA77B5FF4A350F140029F946A7360DB70AA20CF54

Function 002A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 002A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002A3C13

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8379bf8367ca8009ec596d2cc7fac69d54b1afbadbb4ecda57274e71cedfca4b
Instruction ID: 7810b11c6c276b5c2d4796e260b46244d97ec9c7e08b3aa35e171b3f7aca132a
Opcode Fuzzy Hash: 8379bf8367ca8009ec596d2cc7fac69d54b1afbadbb4ecda57274e71cedfca4b
Instruction Fuzzy Hash: FF617C75910248AFDB10DF64CC85EEE77B9EB0A714F1000AAFA15A7291CB70AE65DF60

Function 0027B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B165
GetWindowThreadProcessId.USER32(00000000), ref: 0027B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0027A1E1,?,00000001), ref: 0027B21D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3973b16c8e758c2e127850fe09b721588ebf2d06ad5ccef3713e8a8f6c44360e
Instruction ID: 2c901eec3646fb88692186d3117fc542baac676b1777228e82962cdfafffb2c1
Opcode Fuzzy Hash: 3973b16c8e758c2e127850fe09b721588ebf2d06ad5ccef3713e8a8f6c44360e
Instruction Fuzzy Hash: CD31CE71560209BFDB12DF24EC8CB6E7BADBB51312F208414FA08DB191DBB49E008F60

Function 00242C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00242C94

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 00242CA0
_free.LIBCMT ref: 00242CAB
_free.LIBCMT ref: 00242CB6
_free.LIBCMT ref: 00242CC1
_free.LIBCMT ref: 00242CCC
_free.LIBCMT ref: 00242CD7
_free.LIBCMT ref: 00242CE2
_free.LIBCMT ref: 00242CED
_free.LIBCMT ref: 00242CFB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c71fedc430c6bcfc448280955b53a785ade35bd4cd94099dc1f19d89a163f597
Instruction ID: eea809b0cc66291a78e1f970bd6378901741b70bdb17fba240eb77d6c10369c6
Opcode Fuzzy Hash: c71fedc430c6bcfc448280955b53a785ade35bd4cd94099dc1f19d89a163f597
Instruction Fuzzy Hash: C811D776120108EFDB0AEF56D882CDD3BA5FF05350FA154A1F9489F222DA31EE649F90

Function 00211410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00211459
OleUninitialize.OLE32(?,00000000), ref: 002114F8
UnregisterHotKey.USER32(?), ref: 002116DD
DestroyWindow.USER32(?), ref: 002524B9
FreeLibrary.KERNEL32(?), ref: 0025251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0025254B

Strings

close all, xrefs: 00211454

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c5e2f57ff2882bcfc659e29530aeecb86da577a24a18cefb11f35b069eb72eec
Instruction ID: b41c93daa9cdd087f747ec850bb0df38dd3aea529df270c077a6685c79dbaac2
Opcode Fuzzy Hash: c5e2f57ff2882bcfc659e29530aeecb86da577a24a18cefb11f35b069eb72eec
Instruction Fuzzy Hash: 4FD1BD30721222CFCB19EF14C599B69F7A4BF16700F6441ADE94A6B291DB30AC7ACF54

Function 00215BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00215C7A

Part of subcall function 00215D0A: GetClientRect.USER32(?,?), ref: 00215D30
Part of subcall function 00215D0A: GetWindowRect.USER32(?,?), ref: 00215D71
Part of subcall function 00215D0A: ScreenToClient.USER32(?,?), ref: 00215D99

GetDC.USER32 ref: 002546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00254708
SelectObject.GDI32(00000000,00000000), ref: 00254716
SelectObject.GDI32(00000000,00000000), ref: 0025472B
ReleaseDC.USER32(?,00000000), ref: 00254733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002547C4

Strings

U, xrefs: 00254693

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5a81cb21a6469bf9bdc9f7f58cea4ad8f7de1c97ebbe2cd00fd8b4641c292352
Instruction ID: 27929cc54f868a75d6fdf47aa757b8b22640f8756b21bde739e19c46335f8eb2
Opcode Fuzzy Hash: 5a81cb21a6469bf9bdc9f7f58cea4ad8f7de1c97ebbe2cd00fd8b4641c292352
Instruction Fuzzy Hash: 0E710434420206DFCF219F64C988AFABBB5FF8A32AF144266ED555A166C7308CE5DF50

Function 0028359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002835E4

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

LoadStringW.USER32(002E2390,?,00000FFF,?), ref: 0028360A

Strings

Line %d (File "%s"):, xrefs: 0028366B
Error: , xrefs: 002836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00283724
^ ERROR, xrefs: 002836C9
"%s" (%d) : ==> %s:, xrefs: 00283742

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0c09ea4eca105f9997e0bb14128d112a0db6f5360358de0f8280d8d36d0ebc2d
Instruction ID: 98b4fa43ce8498514833782787af54bdb1df3d01f5a80b13daf492a67c03593a
Opcode Fuzzy Hash: 0c09ea4eca105f9997e0bb14128d112a0db6f5360358de0f8280d8d36d0ebc2d
Instruction Fuzzy Hash: DE517E7182021ABBDF14EBA0DC56EEDBBB9AF14700F144165F505721A1EB316AF8DFA0

Function 0028C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028C2CA
GetLastError.KERNEL32 ref: 0028C322
SetEvent.KERNEL32(?), ref: 0028C336
InternetCloseHandle.WININET(00000000), ref: 0028C341

Strings

, xrefs: 0028C2BB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 50f2ac6457385d75fb14a89481bd431812a9f9a93e3b1c4cf6e15828ba905874
Instruction ID: 9804872516586de4611a37524fc117a4f8070fbe06d929b7b67356fdec7116ae
Opcode Fuzzy Hash: 50f2ac6457385d75fb14a89481bd431812a9f9a93e3b1c4cf6e15828ba905874
Instruction Fuzzy Hash: C331A0B5521304AFD721AF649C88ABB7BFCEB49744F24855EF446D2280DB34DD158B70

Function 0027989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00253AAF,?,?,Bad directive syntax error,002ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002798BC
LoadStringW.USER32(00000000,?,00253AAF,?), ref: 002798C3

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00279987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 002798F1
Line %d (File "%s"):, xrefs: 0027992D
., xrefs: 0027996D
Line %d:, xrefs: 00279912
Error: , xrefs: 00279955

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2ae0dfbf480be1256a13672bd557d8cea5b3c4fdc66460aa850af494d53b7568
Instruction ID: 4830e34df8532f16df6c3ae4d09b0c95d663d96a49f903012aa0813271b2d756
Opcode Fuzzy Hash: 2ae0dfbf480be1256a13672bd557d8cea5b3c4fdc66460aa850af494d53b7568
Instruction Fuzzy Hash: FA216F3182021AABDF11EF90CC0AEEE7775BF29704F044466F619620A1DA71AAB8DF50

Function 0027209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0027214D

Strings

smallicons, xrefs: 00272115
SHELLDLL_DefView, xrefs: 002720CC
list, xrefs: 0027212F
largeicons, xrefs: 002720E1
details, xrefs: 002720FB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a54e8c57668178fe618a0f53269586cb17aa08ade22b8293f07674753c3372a7
Instruction ID: c817897e8d6673a4c98d478f42678a2aa4877db001d4428c1280e7314c8ec838
Opcode Fuzzy Hash: a54e8c57668178fe618a0f53269586cb17aa08ade22b8293f07674753c3372a7
Instruction Fuzzy Hash: 1F113A762B8317FAF6017620EC0ADA6339CEB06724F304017FB0CA40D2EEB16C355A14

Function 0024CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0024CEB7
_free.LIBCMT ref: 0024CF22
_free.LIBCMT ref: 0024CF48
_free.LIBCMT ref: 0024CF71
_free.LIBCMT ref: 0024CFA9
_free.LIBCMT ref: 0024CFDA
_free.LIBCMT ref: 0024D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0024D09C
_free.LIBCMT ref: 0024D0B5

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c8fca479f68a84646d64fcc8e8d92f13467d2ad6c6c4ea1e45ef03a6b8e0dd72
Instruction ID: 476647abcf2a1ae80c775624b67a74ba86af72bbe1b1599f1874fa7c4083f86a
Opcode Fuzzy Hash: c8fca479f68a84646d64fcc8e8d92f13467d2ad6c6c4ea1e45ef03a6b8e0dd72
Instruction Fuzzy Hash: 9D618A71925202AFDB2DAFB9ECC5A6D7B95EF01310F25016FF9009B241DB759C298BA0

Function 002A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002A5186
ShowWindow.USER32(?,00000000), ref: 002A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002A51D1

Part of subcall function 002A6FBA: DeleteObject.GDI32(00000000), ref: 002A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 002A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002A5296

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: aee1f175c63d25fe4187c3b4106ec19a8f7e1e2b5c4f988466c1463a29b1c4f8
Instruction ID: 1d3b0e9bc3c2652796329acdeff7ed6613ae9201834bec77bdc8d42c31aa4a7e
Opcode Fuzzy Hash: aee1f175c63d25fe4187c3b4106ec19a8f7e1e2b5c4f988466c1463a29b1c4f8
Instruction Fuzzy Hash: 2051B330A70A29BFEF249F24DC49BEA7B65EB06320F144011FA19962E1CF7599A0DF40

Function 00228B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00266890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00228874,00000000,00000000,00000000,000000FF,00000000), ref: 00266901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0026691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00228874,00000000,00000000,00000000,000000FF,00000000), ref: 0026692D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f0f865cd53de4b730209d1bafc95415dddbb14207f6184e9ddf8e1b7f1638b0b
Instruction ID: 8d36efa06e05671b39732c864bc495474f4ae5071d7fe535d41f6fd9881bdd92
Opcode Fuzzy Hash: f0f865cd53de4b730209d1bafc95415dddbb14207f6184e9ddf8e1b7f1638b0b
Instruction Fuzzy Hash: C0519B70620206EFDB20CF64EC99FAA7BB5EB58754F10452CF906D72A0DB70E9A0DB50

Function 0028C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028C182
GetLastError.KERNEL32 ref: 0028C195
SetEvent.KERNEL32(?), ref: 0028C1A9

Part of subcall function 0028C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028C272
Part of subcall function 0028C253: GetLastError.KERNEL32 ref: 0028C322
Part of subcall function 0028C253: SetEvent.KERNEL32(?), ref: 0028C336
Part of subcall function 0028C253: InternetCloseHandle.WININET(00000000), ref: 0028C341

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b489d932794907c3e4d5cbba88b157877c79ce5f5c42af101c7f3965ddd55a2a
Instruction ID: aa4b79d1e37300ad84ab0958fd749cbe2d99e71ca01805045c59f0857aec250c
Opcode Fuzzy Hash: b489d932794907c3e4d5cbba88b157877c79ce5f5c42af101c7f3965ddd55a2a
Instruction Fuzzy Hash: E5318275111701AFDB21AFB5EC48A66BBF8FF59300B24841EF95682694DB31E8249F70

Function 002725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32 ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00272601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00272605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0027260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00272623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00272627

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2e16f6f99e8a274efbb7df40fd70d704919c3e8be06fb3ca03cf3efc89cc9925
Instruction ID: 6fa91216b085378eb6f77a41b2ea8298adaeb3baa77f03c85c94998fdc43fdac
Opcode Fuzzy Hash: 2e16f6f99e8a274efbb7df40fd70d704919c3e8be06fb3ca03cf3efc89cc9925
Instruction Fuzzy Hash: D101B1317A0210BBFB10A768AC8EF593E59DB8AB12F204011F318AE0D1CDF224559E69

Function 00271803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00271449,?,?,00000000), ref: 0027180C
HeapAlloc.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 00271813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271449,?,?,00000000), ref: 00271828
GetCurrentProcess.KERNEL32(?,00000000,?,00271449,?,?,00000000), ref: 00271830
DuplicateHandle.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 00271833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271449,?,?,00000000), ref: 00271843
GetCurrentProcess.KERNEL32(00271449,00000000,?,00271449,?,?,00000000), ref: 0027184B
DuplicateHandle.KERNEL32(00000000,?,00271449,?,?,00000000), ref: 0027184E
CreateThread.KERNEL32(00000000,00000000,00271874,00000000,00000000,00000000), ref: 00271868

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 21d01cf78d86c8a15184691902e025fe660c0070a26b06d07f9ea3cc88baf7b2
Instruction ID: c4bed47fdf01e8593b838b3626b56e3cb459327b3d905a01ef38217c8ad30245
Opcode Fuzzy Hash: 21d01cf78d86c8a15184691902e025fe660c0070a26b06d07f9ea3cc88baf7b2
Instruction Fuzzy Hash: 3801BF75340304BFE710ABA5EC4DF573BACEB8AB11F104411FA05DB191DE709810CB20

Function 0029A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0027D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0027D501
Part of subcall function 0027D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0027D50F
Part of subcall function 0027D4DC: CloseHandle.KERNEL32(00000000), ref: 0027D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029A16D
GetLastError.KERNEL32 ref: 0029A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0029A268
GetLastError.KERNEL32(00000000), ref: 0029A273
CloseHandle.KERNEL32(00000000), ref: 0029A2C4

Strings

SeDebugPrivilege, xrefs: 0029A18F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2add40e3a49415a0e06025f2c2867b656af06eeeb6067dbb7989003236051d98
Instruction ID: b13d53dc7bb79f29d6647d9e0b8023f617c194e97087ab7c8b93999475257a87
Opcode Fuzzy Hash: 2add40e3a49415a0e06025f2c2867b656af06eeeb6067dbb7989003236051d98
Instruction Fuzzy Hash: 06616E306143429FDB10DF18C494F55BBE1AF54318F14849CE46A4B7A2CB76EC55CBD2

Function 002A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A3954
_wcslen.LIBCMT ref: 002A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A39F4

Strings

SysListView32, xrefs: 002A38F7

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 38b03229406136ed497e8aadcd0b2c11da9a068b9494a554be954712f4a054e2
Instruction ID: 336350d6e5077e1268e94b3ff17c1cd9a36af096acd0069ccec74f4a09521028
Opcode Fuzzy Hash: 38b03229406136ed497e8aadcd0b2c11da9a068b9494a554be954712f4a054e2
Instruction Fuzzy Hash: 5A41C571A10219ABEB21DF64CC49BEA77A9EF09350F100526F948E7281DB759DA4CB90

Function 0027BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027BCFD
IsMenu.USER32(00000000), ref: 0027BD1D
CreatePopupMenu.USER32 ref: 0027BD53
GetMenuItemCount.USER32(01865628), ref: 0027BDA4
InsertMenuItemW.USER32(01865628,?,00000001,00000030), ref: 0027BDCC

Strings

2, xrefs: 0027BD37
0, xrefs: 0027BCA8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6acf95b416c702748d17f304f5d5f3078cf2feca5889525cd8c7c07ce63353a0
Instruction ID: 232cf1df33c440b3fc236fc7f77358809c739970ddb118dc30fdc0a2fc0c9ad1
Opcode Fuzzy Hash: 6acf95b416c702748d17f304f5d5f3078cf2feca5889525cd8c7c07ce63353a0
Instruction Fuzzy Hash: 2B519170A102069FDF22CFA8D888BAEBBF4BF46314F24C159F419E7291E7709965CB51

Function 00232D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00232D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00232D53
_ValidateLocalCookies.LIBCMT ref: 00232DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00232E0C
_ValidateLocalCookies.LIBCMT ref: 00232E61

Strings

csm, xrefs: 00232DF6
&H#, xrefs: 00232DFE, 00232E07, 00232E18

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H#$csm
API String ID: 1170836740-98951210
Opcode ID: 7d5947761b4c4a3e2a29ec450276a8016e24f6def44634d0ce293af4d2009186
Instruction ID: 588a6868b0e7843ded3a1eedbdee14006cf7fccfbb3c672c23b648a0af5e84c3
Opcode Fuzzy Hash: 7d5947761b4c4a3e2a29ec450276a8016e24f6def44634d0ce293af4d2009186
Instruction Fuzzy Hash: 1141B5B4A2020DEBCF10DF68C845A9EBBB5BF45315F148156E815AB392D731EA29CFD0

Function 0027C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0027C913

Strings

warning, xrefs: 0027C8FC
info, xrefs: 0027C8B4
stop, xrefs: 0027C8E4
blank, xrefs: 0027C895
question, xrefs: 0027C8CC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fed24a9f0546e549119a30079a8171860341028dabb31a2b73e096a9beb63332
Instruction ID: 4395393eba585eb737826c4316384504fbef8517adadfce66496d8606fc3878d
Opcode Fuzzy Hash: fed24a9f0546e549119a30079a8171860341028dabb31a2b73e096a9beb63332
Instruction Fuzzy Hash: 8711EB316B930BFBA7016F64DC82DFAA79CDF16354B30406FFA08A6382D7B06D205665

Function 0027ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0027ED2A
_wcslen.LIBCMT ref: 0027ED3B
_wcslen.LIBCMT ref: 0027ED79
_wcslen.LIBCMT ref: 0027EDAF
_wcslen.LIBCMT ref: 0027EDDF
_wcslen.LIBCMT ref: 0027EDEF
_wcslen.LIBCMT ref: 0027EE2B
_wcslen.LIBCMT ref: 0027EE5A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4a63d7f2873d641925c3e9edc4ab72401004e401e3b784dcc996226ba96164e7
Instruction ID: af112018266f63c60a2535f5c8ff93501216b2e3d2f46ecdd413e34c087d4faa
Opcode Fuzzy Hash: 4a63d7f2873d641925c3e9edc4ab72401004e401e3b784dcc996226ba96164e7
Instruction Fuzzy Hash: B9418AA5C2111876CB11FBF4888AACF77ACAF49710F518593F918E3112FB34E265C7A5

Function 0022F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 0022F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 0026F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 0026F454

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 99603524ee6b670e9f2f4eff829a29cb54c9d23cbc5985cc470576ab420b3abd
Instruction ID: 6c751888a2269474ec83eb58e81b56c1c330deb2e3a009c0caee6d950d8a0ecf
Opcode Fuzzy Hash: 99603524ee6b670e9f2f4eff829a29cb54c9d23cbc5985cc470576ab420b3abd
Instruction Fuzzy Hash: 03414A316382D1BBCBB88F69BB8C72A7BB5AB46314F54443CE04756660DA71A8F0CB10

Function 002A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A2D1B
GetDC.USER32(00000000), ref: 002A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 002A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 002A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A2DE1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fef4013b8fcc33ddd3341ec4aeb475c7e85e697776b3addf528a336dbac92f91
Instruction ID: e9adbc59af46f9306f6a7c3fd12602b9a77583ff2420727f5fe0ff66a60ac3d6
Opcode Fuzzy Hash: fef4013b8fcc33ddd3341ec4aeb475c7e85e697776b3addf528a336dbac92f91
Instruction Fuzzy Hash: 0B31CE72211610BFEB158F14DC8AFEB3FADEF4A711F044055FE089A291CA758C50CBA0

Function 00275622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275637
_memcmp.LIBVCRUNTIME ref: 00275659
_memcmp.LIBVCRUNTIME ref: 00275671
_memcmp.LIBVCRUNTIME ref: 00275684
_memcmp.LIBVCRUNTIME ref: 0027569E
_memcmp.LIBVCRUNTIME ref: 002756B1
_memcmp.LIBVCRUNTIME ref: 002756C9
_memcmp.LIBVCRUNTIME ref: 002756E4

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 83aa021161bc98a0373fafcd22c20ee6aa5705318be48988d5ec01059f93c0a9
Instruction ID: fe07817dfa7f024de866226c3e7c45ea80e32ae10e479956bd6d5326be6a9454
Opcode Fuzzy Hash: 83aa021161bc98a0373fafcd22c20ee6aa5705318be48988d5ec01059f93c0a9
Instruction Fuzzy Hash: 36212CA1670A2A77D21899118E82FFAB36DAF12394F448021FD0C9A545FBF4EE3085E5

Function 00294FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0029502E, 00295383
Not an Object type, xrefs: 00295007

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b1735f1399438aaf5e236abb666268023c78ef2379cca624f4686055c571f198
Instruction ID: 40d01edd8230f04f071123f8c5be59648c07a58bcf6fd0d823b20ae9f5898a89
Opcode Fuzzy Hash: b1735f1399438aaf5e236abb666268023c78ef2379cca624f4686055c571f198
Instruction Fuzzy Hash: BAD1C271B1061A9FDF11CFA8C881BAEB7B5FF48344F148069E919AB281E770DD55CB90

Function 00251522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00251651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002517FB,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002516FB

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00251777
__freea.LIBCMT ref: 002517A2
__freea.LIBCMT ref: 002517AE

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7d911c7e11968f894ac19d1d3f51a366310386d778d72733f2a1861697dedef2
Instruction ID: 09d6e92d7f552e69288a2c3e0be6dad69ce6127cc3e1a598de3c048f9031156e
Opcode Fuzzy Hash: 7d911c7e11968f894ac19d1d3f51a366310386d778d72733f2a1861697dedef2
Instruction Fuzzy Hash: 7091C671E202169ADF248E78CC81BEEBBB59F49311F580659EC05E7181EB35DC78CB68

Function 00294523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00294648
VariantInit.OLEAUT32(?), ref: 00294749
VariantClear.OLEAUT32(?), ref: 00294753
VariantClear.OLEAUT32(?), ref: 002947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002945D8, 00294706, 002947BE
Incorrect Object type in FOR..IN loop, xrefs: 0029472C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9e89c69173454ef8705ba615bfdf8f8d89f47b4002c64be4d143d214046a4bd3
Instruction ID: eb650aad4da6aee393e1fc847c58cd5ed82536b68269c3e93047107360489afc
Opcode Fuzzy Hash: 9e89c69173454ef8705ba615bfdf8f8d89f47b4002c64be4d143d214046a4bd3
Instruction Fuzzy Hash: BA91A471A20219ABDF24DFA4DC84FEEBBB8EF46714F108559F505AB280D7709952CFA0

Function 00281187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0028125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0028135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00281430

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a8f5ab643726f087b5b5cff80074a916a96ff3464aa01ca8e0a02827349cdd67
Instruction ID: 254a38089c40eeb42d02e0ff46d436fcfa01a97451f9ef98b7f77beae060f786
Opcode Fuzzy Hash: a8f5ab643726f087b5b5cff80074a916a96ff3464aa01ca8e0a02827349cdd67
Instruction Fuzzy Hash: D091D079A21219AFEB00AF94D884BBE77B9FF45315F104029E900E72D1D774A976CF90

Function 0022948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0acbdb421a7f586876e83f3ae7d720480b9339fb9ee9eff1bec452f84bd2c503
Instruction ID: 552b5d3bdef2879795870d8551eb28775e0f2fa69f024661f075359fe4840858
Opcode Fuzzy Hash: 0acbdb421a7f586876e83f3ae7d720480b9339fb9ee9eff1bec452f84bd2c503
Instruction Fuzzy Hash: 04911671E1021AAFCB10CFE9D884AEEBBB8FF49320F144155E515B7251D678A9A1CF60

Function 00293947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0029396B
CharUpperBuffW.USER32(?,?), ref: 00293A7A
_wcslen.LIBCMT ref: 00293A8A
VariantClear.OLEAUT32(?), ref: 00293C1F

Part of subcall function 00280CDF: VariantInit.OLEAUT32(00000000), ref: 00280D1F
Part of subcall function 00280CDF: VariantCopy.OLEAUT32(?,?), ref: 00280D28
Part of subcall function 00280CDF: VariantClear.OLEAUT32(?), ref: 00280D34

Strings

Incorrect Parameter format, xrefs: 002939A6, 00293BA1
AUTOIT.ERROR, xrefs: 00293A80, 00293A85

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 59a57b325d569dd164a1da43c920f8f6cbdded3596ec12cc97fa911bf376a39f
Instruction ID: e37a524a019c589960e36c784d6361d656f36b7907e021e7b7d6be0c4c3a9fee
Opcode Fuzzy Hash: 59a57b325d569dd164a1da43c920f8f6cbdded3596ec12cc97fa911bf376a39f
Instruction Fuzzy Hash: 229145756283059FCB00EF64C49096AB7E5BF89314F14886EF88A9B351DB30EE55CF92

Function 00294BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0027000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?,?,0027035E), ref: 0027002B
Part of subcall function 0027000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270046
Part of subcall function 0027000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270054
Part of subcall function 0027000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?), ref: 00270064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00294C51
_wcslen.LIBCMT ref: 00294D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00294DCF
CoTaskMemFree.OLE32(?), ref: 00294DDA

Strings

NULL Pointer assignment, xrefs: 00294E23, 00294E52

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c5256cf3a9feed9e633dfe4b735744eae0543ef081582fc04f137023feb890ae
Instruction ID: c4ab20b70c7ebaf824f1004e489ce3c4f4507563522b0481d37f189ec3c709e9
Opcode Fuzzy Hash: c5256cf3a9feed9e633dfe4b735744eae0543ef081582fc04f137023feb890ae
Instruction Fuzzy Hash: B9913871D1021DAFDF14EFA4C891EEEB7B8BF08304F10816AE919A7251DB309A55CFA0

Function 002A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A2183
GetMenuItemCount.USER32(00000000), ref: 002A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A21DD
_wcslen.LIBCMT ref: 002A2213
GetMenuItemID.USER32(?,?), ref: 002A224D
GetSubMenu.USER32(?,?), ref: 002A225B

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32 ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002A22E3

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 7fd0589bc6b32f07db0132759fa84ba408bf5d28856e715000c454a3276e6251
Instruction ID: 9821dc25f5621b68340cc197067f4f2d455e340772dade8fba091bc18a2d2761
Opcode Fuzzy Hash: 7fd0589bc6b32f07db0132759fa84ba408bf5d28856e715000c454a3276e6251
Instruction Fuzzy Hash: B4718E75A20205EFCB10DFA8C845AAEB7F5EF89310F108499E916EB351DB34ED558F90

Function 0027AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0027AEF9
GetKeyboardState.USER32(?), ref: 0027AF0E
SetKeyboardState.USER32(?), ref: 0027AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0027AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0027AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0027AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0027B020

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a4ccdf16cc7675fe8b1a7ca0bcee6aedef151460f3e0495dbc40f21523be89d9
Instruction ID: 5ced176a8a424931cbb77ef887358f5291644e80acaad4ee7bf7ff6d4a97474c
Opcode Fuzzy Hash: a4ccdf16cc7675fe8b1a7ca0bcee6aedef151460f3e0495dbc40f21523be89d9
Instruction Fuzzy Hash: 7151E5A09243D23DFB3746348845BBB7E995B46314F08C589E1DD858C2C3A998E4D752

Function 0027ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0027AD19
GetKeyboardState.USER32(?), ref: 0027AD2E
SetKeyboardState.USER32(?), ref: 0027AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0027ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0027ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0027AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0027AE38

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8fec7f90d36d57d2e732b4a12d90e438e6557c778fd86480196676b2cb1971c1
Instruction ID: e4c0ceb6dd602218ba96db255ac7fdf71b34e146c160a41181c0ec711e83b14c
Opcode Fuzzy Hash: 8fec7f90d36d57d2e732b4a12d90e438e6557c778fd86480196676b2cb1971c1
Instruction Fuzzy Hash: 8C51E6A19247D23EFB378B248C45B7E7E985B86310F08C498E0DD468C3C6B4ECA4D752

Function 0024542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00253CD6,?,?,?,?,?,?,?,?,00245BA3,?,?,00253CD6,?,?), ref: 00245470
__fassign.LIBCMT ref: 002454EB
__fassign.LIBCMT ref: 00245506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00253CD6,00000005,00000000,00000000), ref: 0024552C
WriteFile.KERNEL32(?,00253CD6,00000000,00245BA3,00000000,?,?,?,?,?,?,?,?,?,00245BA3,?), ref: 0024554B
WriteFile.KERNEL32(?,?,00000001,00245BA3,00000000,?,?,?,?,?,?,?,?,?,00245BA3,?), ref: 00245584

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 90c86d7da5737bf70c82514a393503c4f06d6cab38bc973a3f4566c93399eac3
Instruction ID: afc24ad09da0fabbfcb92835f9e50ebd3dd221f93a2e04a6fdf92524668d4dc2
Opcode Fuzzy Hash: 90c86d7da5737bf70c82514a393503c4f06d6cab38bc973a3f4566c93399eac3
Instruction Fuzzy Hash: 6B5103B0A10649AFDB15CFA8D885AEEBBF9EF09300F14401AF585E7292D7709A51CF60

Function 002910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029304E: inet_addr.WSOCK32(?), ref: 0029307A
Part of subcall function 0029304E: _wcslen.LIBCMT ref: 0029309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00291112
WSAGetLastError.WSOCK32 ref: 00291121
WSAGetLastError.WSOCK32 ref: 002911C9
closesocket.WSOCK32(00000000), ref: 002911F9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0c65e6228be78060b5ba8d775ca571530e87204f961ccbb937e42504004a8c95
Instruction ID: 6f23f9ed1f3d5518eb6ca7da3d9e1b5f60dd8fb81722cbcc6890e795399570a7
Opcode Fuzzy Hash: 0c65e6228be78060b5ba8d775ca571530e87204f961ccbb937e42504004a8c95
Instruction Fuzzy Hash: 1641F431610206AFDB109F15D888BA9BBE9FF45324F248059FD199B291CB74EDA1CFE0

Function 0027CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027CF22,?), ref: 0027DDFD

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027CF22,?), ref: 0027DE16

lstrcmpiW.KERNEL32(?,?), ref: 0027CF45
MoveFileW.KERNEL32(?,?), ref: 0027CF7F
_wcslen.LIBCMT ref: 0027D005
_wcslen.LIBCMT ref: 0027D01B
SHFileOperationW.SHELL32(?), ref: 0027D061

Strings

\*.*, xrefs: 0027CFF3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4cecb8ab323c4226ca60929c9ceceb0f9521dbd5eccb52d5704ba33979f64882
Instruction ID: 531a4f69491d60919d8edfabd88a29090fc2fd18f233badf67988eb3e0ed4b22
Opcode Fuzzy Hash: 4cecb8ab323c4226ca60929c9ceceb0f9521dbd5eccb52d5704ba33979f64882
Instruction Fuzzy Hash: 5B4198718152195FDF12EFB4C981BDDB7B8AF09340F1040E6E50DE7141EA34AA94CF50

Function 002A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 002A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 002A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 002A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A2F0B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 41e68ef44e226605dde86f651530011c47c435fc9e7807514cd3bbd323718433
Instruction ID: caed1071d729cf2d7b9616a6ca27bb0ffba8113708ae4efe36e20bf755470caa
Opcode Fuzzy Hash: 41e68ef44e226605dde86f651530011c47c435fc9e7807514cd3bbd323718433
Instruction Fuzzy Hash: 6731E230654151EFDB25CF5CED88F6537E5EB8AB10F150164F9049F2A2CB71B8A8DB41

Function 00277726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027778F
SysAllocString.OLEAUT32(00000000), ref: 00277792
SysAllocString.OLEAUT32(?), ref: 002777B0
SysFreeString.OLEAUT32(?), ref: 002777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002777DE
SysAllocString.OLEAUT32(?), ref: 002777EC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c3ef68c4e9033b2bc247147e38e3b4cd008b6768520e1506024ae7f775ec03e5
Instruction ID: f427060448ad05bc5bc4c39acd9687d7c7be4eb64b908d39f2cfc6b5ed825204
Opcode Fuzzy Hash: c3ef68c4e9033b2bc247147e38e3b4cd008b6768520e1506024ae7f775ec03e5
Instruction Fuzzy Hash: BA21C476614219AFDF14EFA8DC88CBBB7ECEB0A3647108025F908DB150DA70DC418B64

Function 002777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00277868
SysAllocString.OLEAUT32(00000000), ref: 0027786B
SysAllocString.OLEAUT32 ref: 0027788C
SysFreeString.OLEAUT32 ref: 00277895
StringFromGUID2.OLE32(?,?,00000028), ref: 002778AF
SysAllocString.OLEAUT32(?), ref: 002778BD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0c8004b4c3615f240362ed43018f1d7a9b716f52356a07c2ef437d9e48248518
Instruction ID: 0127463a3219481e88ce657d375bdc5db2080b60476e7ab89a1476dbe9859dff
Opcode Fuzzy Hash: 0c8004b4c3615f240362ed43018f1d7a9b716f52356a07c2ef437d9e48248518
Instruction Fuzzy Hash: B7219D31619205AFDB10AFA8EC8CDBA77ECEB093607108125F919CB2A1DA70DC51DB65

Function 002804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0028052E

Strings

nul, xrefs: 00280567

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3092796d825a06032e0fcf0038583961083a1dd765b6f91c1087b901ca2df14b
Instruction ID: 0323d507b6bb36837dab14ac5b01f4cf7a553812f1eb9345e0733316c2b50298
Opcode Fuzzy Hash: 3092796d825a06032e0fcf0038583961083a1dd765b6f91c1087b901ca2df14b
Instruction Fuzzy Hash: 0E21A5795113069FCB20AF29EC84A5A77E4BF45720F604A19F8A1D21E0D7749968CF30

Function 002805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00280601

Strings

nul, xrefs: 00280639

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b555ba6996a7fb7a451d46ec0feb29eaec7d7696f2648b42ec1f96a70818e942
Instruction ID: 89aa3f1dc1e44795ac0b89f338f8cc527524b79a1a7e3b14285eeff93526eb68
Opcode Fuzzy Hash: b555ba6996a7fb7a451d46ec0feb29eaec7d7696f2648b42ec1f96a70818e942
Instruction Fuzzy Hash: DD21B7395113169FDB60AF68DC84A5A77E8BF85720F200B19FCA1D32D0EBB09874CB10

Function 002A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0021604C
Part of subcall function 0021600E: GetStockObject.GDI32(00000011), ref: 00216060
Part of subcall function 0021600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002A4145

Strings

Msctls_Progress32, xrefs: 002A40E3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 51ba8009c1f34cad59c3d6457efc44dd19cf0db3b0cc3abf152a8d4b3a8aec26
Instruction ID: 6d8702635ba75fd8d26e82f2de77d40b672d877f26ed0ff20a89703f79ade25c
Opcode Fuzzy Hash: 51ba8009c1f34cad59c3d6457efc44dd19cf0db3b0cc3abf152a8d4b3a8aec26
Instruction Fuzzy Hash: CA11B2B215021ABFEF119F64CC85EE77F9DEF09798F004111BA18A6150CAB2DC61DBA4

Function 0024D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024D7A3: _free.LIBCMT ref: 0024D7CC

_free.LIBCMT ref: 0024D82D

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024D838
_free.LIBCMT ref: 0024D843
_free.LIBCMT ref: 0024D897
_free.LIBCMT ref: 0024D8A2
_free.LIBCMT ref: 0024D8AD
_free.LIBCMT ref: 0024D8B8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8fc96857f7ecb59ef4652d1aeaab4679ca90e73d920aec9bd5a62ee6181de18f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 6D115171560B04EBE925BFB1CC47FCBBBDC6F00700F800825B299A6192DA75B5254E50

Function 0027DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0027DA74
LoadStringW.USER32(00000000), ref: 0027DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0027DA91
LoadStringW.USER32(00000000), ref: 0027DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0027DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0027DAB9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: fecbcf32a50df63ab43b860cb683f70e84ea1fd296ec6fa944d429fd2d5f5305
Instruction ID: 8915d025f1d02bd07b999391fcf445635c3302120ee8d33582042f4a5e8d5655
Opcode Fuzzy Hash: fecbcf32a50df63ab43b860cb683f70e84ea1fd296ec6fa944d429fd2d5f5305
Instruction Fuzzy Hash: 6D0162F29102087FE710DBA4AD8DEE7736CEB09701F504496B74AE2141EA749E844F74

Function 0028096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0185D450,0185D450), ref: 0028097B
EnterCriticalSection.KERNEL32(0185D430,00000000), ref: 0028098D
TerminateThread.KERNEL32(?,000001F6), ref: 0028099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002809A9
CloseHandle.KERNEL32(?), ref: 002809B8
InterlockedExchange.KERNEL32(0185D450,000001F6), ref: 002809C8
LeaveCriticalSection.KERNEL32(0185D430), ref: 002809CF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e83b34eb3a7dd42124b94ed260005c7cd082d2ff19987743640ed1163a383e8c
Instruction ID: 300b62fbd328095c5746105533add763bae24ad30333c593c0c32366d6e38aa0
Opcode Fuzzy Hash: e83b34eb3a7dd42124b94ed260005c7cd082d2ff19987743640ed1163a383e8c
Instruction Fuzzy Hash: 31F0C932542A12FBD7516FA4EE8DBD6BA29FF06702F502025F602908A1DF75A875CF90

Function 00291C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00291DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00291DE1
WSAGetLastError.WSOCK32 ref: 00291DF2
htons.WSOCK32(?), ref: 00291EDB
inet_ntoa.WSOCK32(?), ref: 00291E8C

Part of subcall function 002739E8: _strlen.LIBCMT ref: 002739F2

Part of subcall function 00293224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0028EC0C), ref: 00293240

_strlen.LIBCMT ref: 00291F35

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c10a91c5451817ed234d5911961230093de5ae00cc5952c60c55b770cdd28c6c
Instruction ID: a1b98491035299f0af779c18c352f17254283589767060bd8e2615abecc61650
Opcode Fuzzy Hash: c10a91c5451817ed234d5911961230093de5ae00cc5952c60c55b770cdd28c6c
Instruction Fuzzy Hash: 09B12430214302AFC724DF25C885E6A77E5AF94318F54855CF4564B2E2DB31EDA2CF91

Function 002401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002400D6
__allrem.LIBCMT ref: 002400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024010B
__allrem.LIBCMT ref: 00240122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00240140

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 37cb75cf08a1997f6f9ec1bb4f9f56f0988deb3ae52fc467730a73c58462c78e
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 788149B2A207029BE728AF79DC81B6B73E8AF41724F24453AF915D76C1E770D9608F50

Function 002461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002382D9,002382D9,?,?,?,0024644F,00000001,00000001,8BE85006), ref: 00246258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0024644F,00000001,00000001,8BE85006,?,?,?), ref: 002462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002463D8
__freea.LIBCMT ref: 002463E5

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

__freea.LIBCMT ref: 002463EE
__freea.LIBCMT ref: 00246413

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cc3eb0085a6bc1522a6a962a426f4e24b95db3f3069b92f5a9ed8ff2f798152b
Instruction ID: 2ce221695e6dd40d9fd67c67914a89e615e6e5cf85851ff9874241b5d35e8d8a
Opcode Fuzzy Hash: cc3eb0085a6bc1522a6a962a426f4e24b95db3f3069b92f5a9ed8ff2f798152b
Instruction Fuzzy Hash: E4513772620207ABDB2D8FA0CC89EAF7BA9EF46B10F144269FC05D6140DB74DC60CA61

Function 0029BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029BD25
RegCloseKey.ADVAPI32(00000000), ref: 0029BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0029BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0029BDF3
RegCloseKey.ADVAPI32(?), ref: 0029BDFF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 917a4d25edfecab3bb44a652b2ad14fb735276aa357799836ba65a053c1a8808
Instruction ID: 2a78c7467fcfd44c0748f1124794638b8a0bdc47c987b44ca5c73edf4bf7236f
Opcode Fuzzy Hash: 917a4d25edfecab3bb44a652b2ad14fb735276aa357799836ba65a053c1a8808
Instruction Fuzzy Hash: FE81BE30228241AFCB15DF24D985E6ABBE5FF85308F14846DF4994B2A2CB31ED55CF92

Function 0026F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0026F7B9
SysAllocString.OLEAUT32(00000001), ref: 0026F860
VariantCopy.OLEAUT32(0026FA64,00000000), ref: 0026F889
VariantClear.OLEAUT32(0026FA64), ref: 0026F8AD
VariantCopy.OLEAUT32(0026FA64,00000000), ref: 0026F8B1
VariantClear.OLEAUT32(?), ref: 0026F8BB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3fe3d3738c5b79177fd2b63af837ef6f43f56f3bc69824a321a09dc61f771226
Instruction ID: c0195f37c157b697d4a3954fc8fc8577827dbbcabbce01caa0b2b3353d8e7894
Opcode Fuzzy Hash: 3fe3d3738c5b79177fd2b63af837ef6f43f56f3bc69824a321a09dc61f771226
Instruction Fuzzy Hash: 3851D531631310BACF90AF65F995B29B3E8EF55310B208466E905DF291DBB08CE0CB96

Function 0028910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002894E5
_wcslen.LIBCMT ref: 00289506
_wcslen.LIBCMT ref: 0028952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00289585

Strings

X, xrefs: 00289412

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1f905e31d342754e88506fcf2035312758f918f184bbf879d05d58a8ca7b90c1
Instruction ID: 0c8904f7a558c382974330194a4b26483aed4276ee7537707d1b977ebaa1f0b3
Opcode Fuzzy Hash: 1f905e31d342754e88506fcf2035312758f918f184bbf879d05d58a8ca7b90c1
Instruction Fuzzy Hash: C0E1D4345243419FD714EF24C881AAEB7E5BF94314F08856DF8899B2A2DB30DD95CF91

Function 0022920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

BeginPaint.USER32(?,?,?), ref: 00229241
GetWindowRect.USER32(?,?), ref: 002292A5
ScreenToClient.USER32(?,?), ref: 002292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002292D3
EndPaint.USER32(?,?,?,?,?), ref: 00229321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002671EA

Part of subcall function 00229339: BeginPath.GDI32(00000000), ref: 00229357

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 605dfdbb2bf2a62b03a24fe0bc83080e1afa24cd31e8400c82b86f7f72ef3372
Instruction ID: 80de8c4991cd1908b7444c997b2cb0079139cc138246b5eb94f37807c408df54
Opcode Fuzzy Hash: 605dfdbb2bf2a62b03a24fe0bc83080e1afa24cd31e8400c82b86f7f72ef3372
Instruction Fuzzy Hash: D941B230114251EFD710DF64EC88FBA7BB8EF46724F140669F9548B2A2CB7098A5DB61

Function 002807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0028080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00280847
EnterCriticalSection.KERNEL32(?), ref: 00280863
LeaveCriticalSection.KERNEL32(?), ref: 002808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00280921

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 9a56d1b92ffb0ac8cf4b28bdfca3e054899011f87e880c504573375b5a2bf594
Instruction ID: 79e137d1de25983374aba0755ca7f9396be9f161f3a296e629f038b37034281b
Opcode Fuzzy Hash: 9a56d1b92ffb0ac8cf4b28bdfca3e054899011f87e880c504573375b5a2bf594
Instruction Fuzzy Hash: F8416A71A10205EBDF55AF94EC85AAA7778FF04310F1440B9ED04AA296DB30DE64DFA4

Function 002A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0026F3AB,00000000,?,?,00000000,?,0026682C,00000004,00000000,00000000), ref: 002A824C
EnableWindow.USER32(?,00000000), ref: 002A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002A82D1
ShowWindow.USER32(?,00000004), ref: 002A82E5
EnableWindow.USER32(?,00000001), ref: 002A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002A832F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: effbaa2786a66ca9d0af4d5ac865818f523c5323646266302febc098d82731aa
Instruction ID: 0b5b4f83a12260ee5d7413b87c02fe55f3fa8a45bd04670d35d155df472a6de4
Opcode Fuzzy Hash: effbaa2786a66ca9d0af4d5ac865818f523c5323646266302febc098d82731aa
Instruction Fuzzy Hash: 2F418334601685EFDF15CF15E899BB47BE0BB4B714F1841A9EA484F262CF31A865CB50

Function 00274C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00274C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00274CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00274CEA
_wcslen.LIBCMT ref: 00274D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00274D10
_wcsstr.LIBVCRUNTIME ref: 00274D1A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5b958b21649c98ebfc64807cd0037be1e52470de7019fe5bf7404af3cdcdf666
Instruction ID: cf653dba2aba08c88dc99cd6d8bc24a4c26ae99f64ca6162fccfc5888b7d4496
Opcode Fuzzy Hash: 5b958b21649c98ebfc64807cd0037be1e52470de7019fe5bf7404af3cdcdf666
Instruction Fuzzy Hash: 3C212C71214111BBEB2AAF79AD09E7B7BACDF46750F10807EF809CA151EF71DC1086A0

Function 0028581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00213AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00213A97,?,?,00212E7F,?,?,?,00000000), ref: 00213AC2

_wcslen.LIBCMT ref: 0028587B
CoInitialize.OLE32(00000000), ref: 00285995
CoCreateInstance.OLE32(002AFCF8,00000000,00000001,002AFB68,?), ref: 002859AE
CoUninitialize.OLE32 ref: 002859CC

Strings

.lnk, xrefs: 00285876, 002858C1, 00285985

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f1cfc8b0290c51b56977da7a44bc662f0718915f843c775501c7a678587b67a3
Instruction ID: af003eeea7d1bbf661ce61bfe037d55c5d6896c5c864192faf5a1eb8c293761a
Opcode Fuzzy Hash: f1cfc8b0290c51b56977da7a44bc662f0718915f843c775501c7a678587b67a3
Instruction Fuzzy Hash: EBD174786286119FC714EF24C48096ABBF2FF99314F148859F8899B3A1DB31EC55CF92

Function 0027175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00270FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00270FCA
Part of subcall function 00270FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00270FD6
Part of subcall function 00270FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00270FE5
Part of subcall function 00270FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00270FEC
Part of subcall function 00270FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271002

GetLengthSid.ADVAPI32(?,00000000,00271335), ref: 002717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002717BA
HeapAlloc.KERNEL32(00000000), ref: 002717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002717DA
GetProcessHeap.KERNEL32(00000000,00000000,00271335), ref: 002717EE
HeapFree.KERNEL32(00000000), ref: 002717F5

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c60d8926649e8d9c52f179e17100328f92ed169e62632affbeca1fe67c89ee41
Instruction ID: aac7a351a7d099107727a74d96736c73e665a03d4dea845c0fafad4f6f4dd4d5
Opcode Fuzzy Hash: c60d8926649e8d9c52f179e17100328f92ed169e62632affbeca1fe67c89ee41
Instruction Fuzzy Hash: B9118171620205FFDB149FA8DC49BAEBBA9EF46355F208018F4499B110DB359964CB60

Function 002714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00271506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00271515
CloseHandle.KERNEL32(00000004), ref: 00271520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00271563

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bae1cc8b0d494c8a377990aa891811b0a727ba0ee2b3697555114d7406525dfc
Instruction ID: 388278151bae07f1bc6e5e2abba14f98612164c05add604de2df8d193cd22c92
Opcode Fuzzy Hash: bae1cc8b0d494c8a377990aa891811b0a727ba0ee2b3697555114d7406525dfc
Instruction Fuzzy Hash: 1B11677250020EABDF119FA8ED49FDF7BA9EF49704F148064FA09A2060C771CE64DB60

Function 00233382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00233379,00232FE5), ref: 00233390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0023339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002333B7
SetLastError.KERNEL32(00000000,?,00233379,00232FE5), ref: 00233409

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9fe5a23cf3f745e9f61f3ea7343f514e9a363bfb76232bbd7a4899751966a148
Instruction ID: a6b31443b58a296083442d7a28645c5a2ad2994429c3be30107f5c269fa04ab5
Opcode Fuzzy Hash: 9fe5a23cf3f745e9f61f3ea7343f514e9a363bfb76232bbd7a4899751966a148
Instruction Fuzzy Hash: 3A012DB3639313BF96146B757C8A6665B54D705376F30C26AF510811F0EF114F319984

Function 00242D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00245686,00253CD6,?,00000000,?,00245B6A,?,?,?,?,?,0023E6D1,?,002D8A48), ref: 00242D78
_free.LIBCMT ref: 00242DAB
_free.LIBCMT ref: 00242DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0023E6D1,?,002D8A48,00000010,00214F4A,?,?,00000000,00253CD6), ref: 00242DEC
_abort.LIBCMT ref: 00242DF2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5fb029f48b44055da3588e872cdaef7c89e8e7d7a6ae5472eaa122056f9a7eed
Instruction ID: 951b669a53583f5ba7d387ae140be83b549fa9feeb6242b96240c7d8052793f9
Opcode Fuzzy Hash: 5fb029f48b44055da3588e872cdaef7c89e8e7d7a6ae5472eaa122056f9a7eed
Instruction Fuzzy Hash: B5F02831D35A02E7C61E7B37BC0EF1E2659AFC27A0FB40019F824922D2EE708C394520

Function 002A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00229639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00229693
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296A2
Part of subcall function 00229639: BeginPath.GDI32(?), ref: 002296B9
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 002A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002A8A70
LineTo.GDI32(?,00000000,00000003), ref: 002A8A80
EndPath.GDI32(?), ref: 002A8A90
StrokePath.GDI32(?), ref: 002A8AA0

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 71a22250ce2edb11c8c5745c3b7e43bbb43b6ff6b5c49e1b3967e34943d0c78d
Instruction ID: d9c81490386d9b0ae1acd63e2b4c0b034912d06e71d5442674bb36c0a3a25c74
Opcode Fuzzy Hash: 71a22250ce2edb11c8c5745c3b7e43bbb43b6ff6b5c49e1b3967e34943d0c78d
Instruction Fuzzy Hash: 7E111B7604014DFFDF129F90EC88FAA7F6CEB09350F108022BA199A1A1CB719D65DFA0

Function 002751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00275218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00275229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00275230
ReleaseDC.USER32(00000000,00000000), ref: 00275238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0027524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00275261

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d282d970d9dc02bb11c9a723b44b928fdc55f5ba697863358364d9e94c60f811
Instruction ID: 39527d4af34b43e881b1bc5c563d3666a2db9664c6dfde65947d37c8cb123f4c
Opcode Fuzzy Hash: d282d970d9dc02bb11c9a723b44b928fdc55f5ba697863358364d9e94c60f811
Instruction Fuzzy Hash: A4014F75A00719BBEB109FA5AC49A5EBFB8EB49751F144065FA08A7281DA709C10CFA0

Function 00211BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00211BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00211BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00211C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00211C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00211C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00211C22

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6bebcd4f2529e786265460ed0b3430b4d733db966360f9b4267d055695b660bf
Instruction ID: 772f7203c1431f04e262960f0d92d87c1d688a8e0301576e463fbc8564aa7e40
Opcode Fuzzy Hash: 6bebcd4f2529e786265460ed0b3430b4d733db966360f9b4267d055695b660bf
Instruction Fuzzy Hash: 9D0167B0902B5ABDE3008F6A8C85B52FFE8FF59754F04411BA15C4BA42C7F5A864CBE5

Function 0027EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0027EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0027EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0027EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027EB75

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1021fdf1c899ad3cae3760f738aebc8ad23dd025bfaba6270d4ac5d35484f339
Instruction ID: 66ebed7bf8db00c7a754de1734df4d1cbf77bf17f8b55dcbf2a4301666bfb470
Opcode Fuzzy Hash: 1021fdf1c899ad3cae3760f738aebc8ad23dd025bfaba6270d4ac5d35484f339
Instruction Fuzzy Hash: F8F01772240159BBE7219B62AC0EEAB3A7CEBCBF11F104159F601D1091EBA05A018AB5

Function 00267439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00267452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00267469
GetWindowDC.USER32(?), ref: 00267475
GetPixel.GDI32(00000000,?,?), ref: 00267484
ReleaseDC.USER32(?,00000000), ref: 00267496
GetSysColor.USER32(00000005), ref: 002674B0

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 08374e017652260381f4667bac4a3eeba384091b4eb6df1fca7043cb2d25e952
Instruction ID: 3d62d56a7cec90b1a97e1c421cae362a3cb7ffe93a1bf30b97220ca22328c3d7
Opcode Fuzzy Hash: 08374e017652260381f4667bac4a3eeba384091b4eb6df1fca7043cb2d25e952
Instruction Fuzzy Hash: DC018B31410215EFDB109FA4ED0CBAA7BB5FB05711F600060F925A21A0CF311EA1AB50

Function 00271874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027187F
UnloadUserProfile.USERENV(?,?), ref: 0027188B
CloseHandle.KERNEL32(?), ref: 00271894
CloseHandle.KERNEL32(?), ref: 0027189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002718A5
HeapFree.KERNEL32(00000000), ref: 002718AC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bfd01c299b00f6e5730d7b06c5cd92c7c052ef7e796c08cf3bb9358bbf581529
Instruction ID: 77f8c5649fa14b8ac2b2ac2bb7708e1640f030cf4a117ff97ca293baf48d6d91
Opcode Fuzzy Hash: bfd01c299b00f6e5730d7b06c5cd92c7c052ef7e796c08cf3bb9358bbf581529
Instruction Fuzzy Hash: 31E07576204505FBDB016FA5FD0C94ABF79FF4AB22B608625F22981471DF329461DF50

Function 0021BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021BEB3

Strings

D%., xrefs: 0021BCA2
D%., xrefs: 0021BE9A
D%.D%., xrefs: 0021BCA5
D%., xrefs: 0021BDED, 0021BD91, 0021BD1B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%.$D%.$D%.$D%.D%.
API String ID: 1385522511-515690787
Opcode ID: ae38c81ffed08ea3f7fa56757a738a2dd53b8c2cea22501d0667e188e1c76326
Instruction ID: 1304abafae36f14710d270c4f782101764a765c42c16137ba444f5168162f0d4
Opcode Fuzzy Hash: ae38c81ffed08ea3f7fa56757a738a2dd53b8c2cea22501d0667e188e1c76326
Instruction Fuzzy Hash: 0D914A75A2020ACFCB19CF59C0906EAB7F1FF69310F64416AD946AB350D771ADA1CBD0

Function 00297B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00230242: EnterCriticalSection.KERNEL32(002E070C,002E1884,?,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023024D
Part of subcall function 00230242: LeaveCriticalSection.KERNEL32(002E070C,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023028A

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

__Init_thread_footer.LIBCMT ref: 00297BFB

Part of subcall function 002301F8: EnterCriticalSection.KERNEL32(002E070C,?,?,00228747,002E2514), ref: 00230202
Part of subcall function 002301F8: LeaveCriticalSection.KERNEL32(002E070C,?,00228747,002E2514), ref: 00230235

Strings

+T&, xrefs: 00297E2E
Variable must be of type 'Object'., xrefs: 00297C3A
5, xrefs: 00297C78
G, xrefs: 00297C7F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T&$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2833248500
Opcode ID: b55501516e0efb75768d2b817069fda4f8142be1c26fc3bf0b53a44a6245160c
Instruction ID: aea7d55d787fde7602a31f04ba79b89faf32d78957e530346dc3ccb274a21992
Opcode Fuzzy Hash: b55501516e0efb75768d2b817069fda4f8142be1c26fc3bf0b53a44a6245160c
Instruction Fuzzy Hash: A0919D74A34209EFCF04EF54D8919ADB7B1FF49300F548059F8069B292DB71AE61CB61

Function 0027C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0027C6EE
_wcslen.LIBCMT ref: 0027C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0027C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0027C7CA

Strings

0, xrefs: 0027C6AF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 318ffec765147b2dc3da49374e440b88e729e971ccf53cd2a94e1492b0c54767
Instruction ID: 1f84185c02c30a7a737104ea0a3470285c8a18ad0a775e0fb50202a27eda19a6
Opcode Fuzzy Hash: 318ffec765147b2dc3da49374e440b88e729e971ccf53cd2a94e1492b0c54767
Instruction Fuzzy Hash: 1951E3716343029BD7199F38D885A6BB7E8AF85310F24892DF599E21D0DB70D9248F52

Function 0029AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0029AEA3

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

GetProcessId.KERNEL32(00000000), ref: 0029AF38
CloseHandle.KERNEL32(00000000), ref: 0029AF67

Strings

@, xrefs: 0029AE72
<, xrefs: 0029AE6B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ec444a2cf6554645f1d336788fc5ff0b395327c812b705939796a13b35ad6c1b
Instruction ID: 8e7b802c29244f8e191dcf32c3cf6f51b9ee04e4dff9220a20bf5d7e3dadf40e
Opcode Fuzzy Hash: ec444a2cf6554645f1d336788fc5ff0b395327c812b705939796a13b35ad6c1b
Instruction Fuzzy Hash: D2715670A20219DFCF14DF54C484A9EBBF1BF08300F0484A9E856AB662CB71ED95CF91

Function 0027719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00277206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0027723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0027724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002772CF

Strings

DllGetClassObject, xrefs: 00277242

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ac32ed0e29e5c56378de251611a60bd581fba6c6c6ef0c4d8af41e64176515ba
Instruction ID: 6c08833049ba8c21e88ee07045fd6c968261bb23998e81fc9a0c15410c8bf16c
Opcode Fuzzy Hash: ac32ed0e29e5c56378de251611a60bd581fba6c6c6ef0c4d8af41e64176515ba
Instruction Fuzzy Hash: 03418D71A14204EFDB15CF64C884A9A7BB9EF49314F24C0AABD19DF20AD7B0DD54CBA0

Function 002A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A2F8D
LoadLibraryW.KERNEL32(?), ref: 002A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A2FA9
DestroyWindow.USER32(?), ref: 002A2FB1

Strings

SysAnimate32, xrefs: 002A2F68

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f4a80fa04916e51a630ae662191fb156a79344a67430ae5cff73e5964de90351
Instruction ID: 07565d61ee2b9eac3470fd259fb16cf223d24d8dca55479a39b0b95325ea06d8
Opcode Fuzzy Hash: f4a80fa04916e51a630ae662191fb156a79344a67430ae5cff73e5964de90351
Instruction Fuzzy Hash: F721C071220206EFEB108F68DC84FBB77BDEB5A364F104219FA50D6590DB71DCA59B60

Function 00234D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002), ref: 00234D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00234DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00234D1E,002428E9,?,00234CBE,002428E9,002D88B8,0000000C,00234E15,002428E9,00000002,00000000), ref: 00234DC3

Strings

CorExitProcess, xrefs: 00234D98
mscoree.dll, xrefs: 00234D86

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: de5768fe9d34b553e971399e41c9595f8445795c97113bea4ea74b86930421a0
Instruction ID: 0d82e6ee1a378e4d4833de78121b2d748380378c6aaa60a931dbe714cf58d7e9
Opcode Fuzzy Hash: de5768fe9d34b553e971399e41c9595f8445795c97113bea4ea74b86930421a0
Instruction Fuzzy Hash: 92F03C74A50209ABDB159F94EC49BAEBFE5EB45752F1001A4E90AA2260CF70AE50DA90

Function 0026D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0026D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0026D3BF
FreeLibrary.KERNEL32(00000000), ref: 0026D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0026D3B9
X64, xrefs: 0026D2A8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: a62448563147c83bd3f4c591846612b7aed85799aa2f9399c0f214435f21015d
Instruction ID: be80f758d48cc9a2499ebecaa67f0be126d5b49c4853117ec23e784097c8b558
Opcode Fuzzy Hash: a62448563147c83bd3f4c591846612b7aed85799aa2f9399c0f214435f21015d
Instruction Fuzzy Hash: 74F05571F3962ADBD7711B219C3C9693724AF12701B6484E5F806EA216DFA0CDF08AD2

Function 00214E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00214EAE
FreeLibrary.KERNEL32(00000000,?,?,00214EDD,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214EC0

Strings

kernel32.dll, xrefs: 00214E94
Wow64DisableWow64FsRedirection, xrefs: 00214EA8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebfe66d95d7ace7b2f328307fe4dedc6251bc78d52cf82462cab1da048a8286f
Instruction ID: ffb02e2dc5adf9df151f250b87a84d9edafb856afb7597974b977b124c2d2b18
Opcode Fuzzy Hash: ebfe66d95d7ace7b2f328307fe4dedc6251bc78d52cf82462cab1da048a8286f
Instruction Fuzzy Hash: D6E0CD35B115235BD2322F25BC1CB9F65D4AF93F627150115FC0CD2200DF60CD5144B1

Function 00214E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00214E74
FreeLibrary.KERNEL32(00000000,?,?,00253CDE,?,002E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00214E87

Strings

kernel32.dll, xrefs: 00214E5B
Wow64RevertWow64FsRedirection, xrefs: 00214E6E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 76a802d2c25cf17cc85ed7686bd2141c9bc14c7df58e651c0321e5a1df88f7a3
Instruction ID: 1d8e567bd9d110d4d971ff7fd3e820ecbf959a08882549711067b6c0dcb098df
Opcode Fuzzy Hash: 76a802d2c25cf17cc85ed7686bd2141c9bc14c7df58e651c0321e5a1df88f7a3
Instruction Fuzzy Hash: F5D012356226235756222F25BC1CDCB6A58AF87B553150625F90DA2114CF61CD6285E0

Function 0029A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0029A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0029A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0029A468
CloseHandle.KERNEL32(?), ref: 0029A63D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 967e17b2c34a78c5ab1cefff40f3fc87f1c290cc8012121f80f273771145613d
Instruction ID: 8f0f66ea4312631610b874e08fd3d766df43a059dd4cd14172bf4ed908976cb7
Opcode Fuzzy Hash: 967e17b2c34a78c5ab1cefff40f3fc87f1c290cc8012121f80f273771145613d
Instruction Fuzzy Hash: DFA1EF71614301AFDB20DF24D886F2AB7E5AF94714F14881DF95A8B292DBB0EC51CF82

Function 0024BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002B3700), ref: 0024BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0024BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002E1270,000000FF,?,0000003F,00000000,?), ref: 0024BC36
_free.LIBCMT ref: 0024BB7F

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024BD4B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: cf040315ccb4b5f7e700e955a68919aa3bea9cbce444de5e3a55cb3e8ea13dec
Instruction ID: 1203e2b88c9b65c45e40e63a1a55cd354a5782baae5cf42ae7a97bcae19e5cef
Opcode Fuzzy Hash: cf040315ccb4b5f7e700e955a68919aa3bea9cbce444de5e3a55cb3e8ea13dec
Instruction Fuzzy Hash: E251C771D1021AEFCB19EF65DCC59AEBBB8EF41310B1002AAE954D7191EB70DD618B50

Function 0027E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027CF22,?), ref: 0027DDFD

Part of subcall function 0027DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027CF22,?), ref: 0027DE16

Part of subcall function 0027E199: GetFileAttributesW.KERNEL32(?,0027CF95), ref: 0027E19A

lstrcmpiW.KERNEL32(?,?), ref: 0027E473
MoveFileW.KERNEL32(?,?), ref: 0027E4AC
_wcslen.LIBCMT ref: 0027E5EB
_wcslen.LIBCMT ref: 0027E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0027E650

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f3fee149f60ddbb7c3e2be95bba574eb934ff533921122402830eb7b188f5359
Instruction ID: 1aa3ed9c92586497552eca3050d7fdf9eb7214069f16eba93ff257d2b0fed117
Opcode Fuzzy Hash: f3fee149f60ddbb7c3e2be95bba574eb934ff533921122402830eb7b188f5359
Instruction Fuzzy Hash: 5F51B4B20183855BCB24EB90D8919DB73ECAF99340F00495EF68DD3151EF74A5988B66

Function 0029B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 0029C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029B6AE,?,?), ref: 0029C9B5
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029C9F1
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA68
Part of subcall function 0029C998: _wcslen.LIBCMT ref: 0029CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0029BB63
RegCloseKey.ADVAPI32(?,?), ref: 0029BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0029BBB3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 36ea7880d8c5259c4caf8f8b990f96c5e49dc353fe17282235c9f8ebf9f9b945
Instruction ID: 24f15088d51be774a08aa9b2a3c01b82f97b461da105bcdf6d6e947ca84115a2
Opcode Fuzzy Hash: 36ea7880d8c5259c4caf8f8b990f96c5e49dc353fe17282235c9f8ebf9f9b945
Instruction Fuzzy Hash: 6161D131228241AFC715DF24D5A0E6ABBE5FF84308F14855CF4998B2A2CB31ED95CF92

Function 00278BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00278BCD
VariantClear.OLEAUT32 ref: 00278C3E
VariantClear.OLEAUT32 ref: 00278C9D
VariantClear.OLEAUT32(?), ref: 00278D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00278D3B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 52c9453ace9235e982a950333c9e91cd61cbf45185997dc1acbe4256a833f3c4
Instruction ID: ba61e6245641293833b4869eebade152cc1714420b51739129f0074341471bf6
Opcode Fuzzy Hash: 52c9453ace9235e982a950333c9e91cd61cbf45185997dc1acbe4256a833f3c4
Instruction Fuzzy Hash: 61515DB5A10219DFCB14CF68D894AAAB7F8FF8D314B158559E909DB350E730E911CF90

Function 00288AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00288BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00288BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00288C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00288C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00288C5F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2d89823e74e8dcd16d95d243c66f0a2bd58a38a7fe24a3e0c0118444da133bfa
Instruction ID: 3f1fde07f9c4812a01ee5f06258bbd099f9683cf120db08e8d1608364a9ff249
Opcode Fuzzy Hash: 2d89823e74e8dcd16d95d243c66f0a2bd58a38a7fe24a3e0c0118444da133bfa
Instruction Fuzzy Hash: 2E514E35A10215AFCB05DF64C885AADBBF5FF49314F088459E849AB3A2DB31ED61CF90

Function 00298EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00298F40
GetProcAddress.KERNEL32(00000000,?), ref: 00298FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00298FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00299032
FreeLibrary.KERNEL32(00000000), ref: 00299052

Part of subcall function 0022F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00281043,?,7735E610), ref: 0022F6E6
Part of subcall function 0022F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0026FA64,00000000,00000000,?,?,00281043,?,7735E610,?,0026FA64), ref: 0022F70D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 07e6a884821397914c84b33aaae798c236af57f7e4814e47f57b75cdf597310e
Instruction ID: 5b4307128e6a99bb442c284cd52c79ff7aa61fe4d91bb70043e0aeac16515d31
Opcode Fuzzy Hash: 07e6a884821397914c84b33aaae798c236af57f7e4814e47f57b75cdf597310e
Instruction Fuzzy Hash: 5E515B35610205DFCB11DF68C4948ADBBF1FF5A324B5880A8E81A9B762DB31ED95CF90

Function 002A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 002A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 002A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0028AB79,00000000,00000000), ref: 002A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002A6CC7

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f96bed69b2e56ccfa89010ba9aee5c3c6930fc7a75293b3e6b57b8adbfdfdefb
Instruction ID: ce8466677383db4ccf8e155ffba0e8b0b61179052ce63b58a1c67a57a7fa8648
Opcode Fuzzy Hash: f96bed69b2e56ccfa89010ba9aee5c3c6930fc7a75293b3e6b57b8adbfdfdefb
Instruction Fuzzy Hash: 3341E735624105AFD724DF38CC5CFA9BBA6EB0B360F190225F955A72E1CB71ED60CA50

Function 00242051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002420C3
_free.LIBCMT ref: 002420E3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 039f0c32c0cd284bb4705abe5deeec75a25f6f377680e4c31cbb7d6da5b401d7
Instruction ID: 6e627c1a2a9af69141de62b5aec230f183d7c6c3fa548bf440a0bdffb6b21062
Opcode Fuzzy Hash: 039f0c32c0cd284bb4705abe5deeec75a25f6f377680e4c31cbb7d6da5b401d7
Instruction Fuzzy Hash: 3D41F132A10200EFCB28DF79C880A5EB3F5EF88310F6541A9F509EB352DA31AD15CB80

Function 0022912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00229141
ScreenToClient.USER32(00000000,?), ref: 0022915E
GetAsyncKeyState.USER32(00000001), ref: 00229183
GetAsyncKeyState.USER32(00000002), ref: 0022919D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8e5a0b76d9d5a8368e78c8abcb40e90f4f7deb9cd842d0d8775a3ab2549aff40
Instruction ID: 96e44988e3f75519fe78b96f990a56ef55bd75b69345016cd6c0546d84b83c29
Opcode Fuzzy Hash: 8e5a0b76d9d5a8368e78c8abcb40e90f4f7deb9cd842d0d8775a3ab2549aff40
Instruction Fuzzy Hash: BE41903191821BFBDF059FA8D848BEEB775FB06324F204256E429A32D0CB7059A4CF91

Function 00283874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00283922
TranslateMessage.USER32(?), ref: 0028394B
DispatchMessageW.USER32(?), ref: 00283955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00283966

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e24e684744892cb999e68bc9a394e1d636497ce5737135654e2b62d411632786
Instruction ID: 445193d6009bdc5612054cb8405abb5b6d656b68e2a5d76f18d63b1b857bab64
Opcode Fuzzy Hash: e24e684744892cb999e68bc9a394e1d636497ce5737135654e2b62d411632786
Instruction Fuzzy Hash: A831F778966383DFEB35EF34E84CBB637A8AB01700F140469E466860E0E7F496A5CB11

Function 0028CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0028CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0028CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028C21E,00000000), ref: 0028CFF2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 50484539c57e4fb20b2d412028af16760a3cf783e261e9399fba6a28f7f0ebe2
Instruction ID: 8bee132f0aec724fd96ab2dc32485261586e8525289ff80af5cdcb6e593679ad
Opcode Fuzzy Hash: 50484539c57e4fb20b2d412028af16760a3cf783e261e9399fba6a28f7f0ebe2
Instruction Fuzzy Hash: B2318475521206EFEB20EFA5D88496BB7F9EB14310B20442FF606D2591DB30AD50DB60

Function 00271901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00271915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002719E2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4156cfd232d7975eabc727004c0f76d7cf7ed69516a916f3bb11b8bd849cf178
Instruction ID: 5644b94da04c2f3ba64a11179606bf4c52d05c413900b61af581019fbfd35cc2
Opcode Fuzzy Hash: 4156cfd232d7975eabc727004c0f76d7cf7ed69516a916f3bb11b8bd849cf178
Instruction Fuzzy Hash: 5331D171A1021AEFCB04CFACDD99ADE3BB5EF45314F108225FA25A72D0C7709965CB90

Function 002A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 002A579D
_wcslen.LIBCMT ref: 002A57AF
_wcslen.LIBCMT ref: 002A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A5816

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7d2196626f22d91489fd13a5873a4e9d1be37fcc2b5b603d2dd7441baa1e3f2d
Instruction ID: 6e97ff82a54e0c3b48f0c7c5fc408676ed53cd3fc54ac77f67eb45fa27b98a4c
Opcode Fuzzy Hash: 7d2196626f22d91489fd13a5873a4e9d1be37fcc2b5b603d2dd7441baa1e3f2d
Instruction Fuzzy Hash: 87218471924629DBDB209F60DC84AEFB778FF46720F104156F919AA180DB7099A5CF90

Function 00290930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00290951
GetForegroundWindow.USER32 ref: 00290968
GetDC.USER32(00000000), ref: 002909A4
GetPixel.GDI32(00000000,?,00000003), ref: 002909B0
ReleaseDC.USER32(00000000,00000003), ref: 002909E8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dde3cceb775b0fdd3b8dac9908a1b2836a86040309bb03793c34c09a7dd6e740
Instruction ID: 32eaa1a38ba0c2a5404cc9df0273e8dc1cd871455207573934a303605534569e
Opcode Fuzzy Hash: dde3cceb775b0fdd3b8dac9908a1b2836a86040309bb03793c34c09a7dd6e740
Instruction Fuzzy Hash: 51219635610204AFD704EF65D988AAEB7F9EF45700F148469F84AD7751DB70AC54CF50

Function 0024CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024CDE9

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024CE0F
_free.LIBCMT ref: 0024CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024CE31

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a6c870e6731b227fc3db8c738042ecb8575b1eb96cb172c9887f12fcae9f5ab0
Instruction ID: 84093caec43fca8bdc12963d45ed8a24f52a7a485faa5fd1d9b7a057ab42cac6
Opcode Fuzzy Hash: a6c870e6731b227fc3db8c738042ecb8575b1eb96cb172c9887f12fcae9f5ab0
Instruction Fuzzy Hash: D501D8727132157F27651ABE6C4CC7B696DDEC7BA13350129F905CB200DF618D2195B0

Function 00229639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00229693
SelectObject.GDI32(?,00000000), ref: 002296A2
BeginPath.GDI32(?), ref: 002296B9
SelectObject.GDI32(?,00000000), ref: 002296E2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83c12099358ec3482d5deb54cf5e7e53f2353f2609ab27d48e62a5cad9a29c9b
Instruction ID: c267d2883f1ac15930189639d360ae584832dd4a21ca7b77b3e1dc95c8322211
Opcode Fuzzy Hash: 83c12099358ec3482d5deb54cf5e7e53f2353f2609ab27d48e62a5cad9a29c9b
Instruction Fuzzy Hash: D2217130861396EBDB119FA4FC4CBB97BA8BB01315F100225F414AA1A1D77498F5CF90

Function 00275711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275726
_memcmp.LIBVCRUNTIME ref: 00275744
_memcmp.LIBVCRUNTIME ref: 00275757
_memcmp.LIBVCRUNTIME ref: 0027576F
_memcmp.LIBVCRUNTIME ref: 00275787

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 77e8281120af5704fc75e4084abf6f9b8945f6ea3de1ba7eef0bec8a6027bd13
Instruction ID: 262b11b05f268d0f2b73d680df856a140468fe6dc1dfe334846d8b8d8a2b0d42
Opcode Fuzzy Hash: 77e8281120af5704fc75e4084abf6f9b8945f6ea3de1ba7eef0bec8a6027bd13
Instruction Fuzzy Hash: C501BEA16B1615FBD20C55119E82FBBF35D9B26364F008021FD0C5A141F7F5ED3086B0

Function 00242DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0023F2DE,00243863,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6), ref: 00242DFD
_free.LIBCMT ref: 00242E32
_free.LIBCMT ref: 00242E59
SetLastError.KERNEL32(00000000,00211129), ref: 00242E66
SetLastError.KERNEL32(00000000,00211129), ref: 00242E6F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a364c5f0127c8a5899294b453cfa62065e7497d419b13aa8ecfd6e5c6d6e364
Instruction ID: e0897034251e8dca9626df90875cca2a584f23b84ee20304369945afd61aecc0
Opcode Fuzzy Hash: 2a364c5f0127c8a5899294b453cfa62065e7497d419b13aa8ecfd6e5c6d6e364
Instruction Fuzzy Hash: B201F932775A02E7C61EAB377C89D2B2659EBD27A57F40025F815D2293EEB0DC394520

Function 0027000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?,?,0027035E), ref: 0027002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?), ref: 00270064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0026FF41,80070057,?,?), ref: 00270070

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a48d26c50e43790a3e14429adfe618399f2ebef9a4a0fe25e74ef1a6fa78dd1c
Instruction ID: 3b83e166ba43b9305e929888d525052f9229bd317f13f87fa361d231d33cf134
Opcode Fuzzy Hash: a48d26c50e43790a3e14429adfe618399f2ebef9a4a0fe25e74ef1a6fa78dd1c
Instruction Fuzzy Hash: A301A272610215FFDB114F68EC88BAA7AEDEF44761F248124F909D2210DB75DD549BA0

Function 0027E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0027E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0027E9A5
Sleep.KERNEL32(00000000), ref: 0027E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0027E9B7
Sleep.KERNEL32 ref: 0027E9F3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 32642924dadd138573108f9735bd21b05302062e0ddddb357062a6155dd594d8
Instruction ID: 830d36f6181d061d4f75c64783362345109b39b212ab78cf46ae663d2a25f8f7
Opcode Fuzzy Hash: 32642924dadd138573108f9735bd21b05302062e0ddddb357062a6155dd594d8
Instruction Fuzzy Hash: 6A015B32D11529DBCF009FE4E84DADDBB78BF0E301F114596EA06B2241CB309565CB62

Function 002710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00271114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 0027112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00270B9B,?,?,?), ref: 00271136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027114D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0edc4654a0be7e20e781c0510ddd8be1cbecafc823301c856a80f5a22de2674e
Instruction ID: 3a49bc3b137ac718f4a606138f383f07bb2a8b1d3bc115539cca783bbbfbab07
Opcode Fuzzy Hash: 0edc4654a0be7e20e781c0510ddd8be1cbecafc823301c856a80f5a22de2674e
Instruction Fuzzy Hash: 32011975200215BFDB114FA9EC4DA6A3B6EEF8A3A0B604469FA49D7360DE31DD109A60

Function 00270FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00270FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00270FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00270FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00270FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271002

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5a6724a65bed132178d3ed591f122763b212e8b9185a2b84bf0e966de5ef529
Instruction ID: 5377f5ce8b9cb23cdc80d073ec82364728ca70ec87f5854fd1e7f4bd8fc3db5d
Opcode Fuzzy Hash: a5a6724a65bed132178d3ed591f122763b212e8b9185a2b84bf0e966de5ef529
Instruction Fuzzy Hash: 5CF04935200312EBDB215FA8AC4DF563BADEF8A762F204424FA49C6251DE70DC608A60

Function 00271014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00271036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271062

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 12eb12cd31775a8b72ee2f2f895738ce3b01afab5b91958c5bbb09c6fb14ec99
Instruction ID: 65b5c3d4672a27ae75948a881523a391692afd383333d29eef8662d4143e4bda
Opcode Fuzzy Hash: 12eb12cd31775a8b72ee2f2f895738ce3b01afab5b91958c5bbb09c6fb14ec99
Instruction Fuzzy Hash: F8F06D35200312FBDB215FA8EC4DF563BADEF8A761F204424FE49C7250DE70D8608A60

Function 0028030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280324
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280331
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 0028033E
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 0028034B
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280358
CloseHandle.KERNEL32(?,?,?,?,0028017D,?,002832FC,?,00000001,00252592,?), ref: 00280365

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: da46e07c3cfc67e2bc9c51c5fb139ffda944daae7ef6b60e68356a4f247150cc
Instruction ID: 0b424d8b8b9f26d9da40faa152d7e8551a84aec36eb6ad2e76718680dc48ab46
Opcode Fuzzy Hash: da46e07c3cfc67e2bc9c51c5fb139ffda944daae7ef6b60e68356a4f247150cc
Instruction Fuzzy Hash: 5601DC76802B029FCB30AF66D8C0806FBF9BE602053158A7ED19252971C7B0A968CF80

Function 0024D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0024D752

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 0024D764
_free.LIBCMT ref: 0024D776
_free.LIBCMT ref: 0024D788
_free.LIBCMT ref: 0024D79A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3479e3a532ba8ffbb22fa8d73e62ae4b3b88adfcf84e7ccac07ff3d2ecf3af75
Instruction ID: 75487a5bb8d87c1354421e7a5b0e6b3b9d0094d02adb869f7c872ccbd8a4713e
Opcode Fuzzy Hash: 3479e3a532ba8ffbb22fa8d73e62ae4b3b88adfcf84e7ccac07ff3d2ecf3af75
Instruction Fuzzy Hash: 62F03632965206EB9629EF66F9C5C16BBDDBB447107F41C06F048D7541C730FCA0CA64

Function 00275C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00275C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00275C6F
MessageBeep.USER32(00000000), ref: 00275C87
KillTimer.USER32(?,0000040A), ref: 00275CA3
EndDialog.USER32(?,00000001), ref: 00275CBD

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 77d56a41878d7b66422d67d66d47cfa44bc8a1b013d0a4e00022ae81d11613d5
Instruction ID: ce48ee37d54f373cc5902839e5f602170fb7630e146ae7d32377a2a68a895fec
Opcode Fuzzy Hash: 77d56a41878d7b66422d67d66d47cfa44bc8a1b013d0a4e00022ae81d11613d5
Instruction Fuzzy Hash: 32018130510B14ABEB219F10ED4EFA6B7BCBB11B05F04456EB587A10E1DFF4A9988A90

Function 002422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002422BE

Part of subcall function 002429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000), ref: 002429DE
Part of subcall function 002429C8: GetLastError.KERNEL32(00000000,?,0024D7D1,00000000,00000000,00000000,00000000,?,0024D7F8,00000000,00000007,00000000,?,0024DBF5,00000000,00000000), ref: 002429F0

_free.LIBCMT ref: 002422D0
_free.LIBCMT ref: 002422E3
_free.LIBCMT ref: 002422F4
_free.LIBCMT ref: 00242305

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a40ac7021e33ef8b0a4c08c4f1a6ed29cb0d13251a71fc276314eeda362873d
Instruction ID: 9994fca1a3738922489f828652c00a4dffbad11a63dd5b24fa9dc467554c7afa
Opcode Fuzzy Hash: 1a40ac7021e33ef8b0a4c08c4f1a6ed29cb0d13251a71fc276314eeda362873d
Instruction Fuzzy Hash: 7BF05EB08A11A1DB9B17AF57BC8980C3B68F7187607A0151BF814DA2B1CB711876EFE4

Function 002295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002295D4
StrokeAndFillPath.GDI32(?,?,002671F7,00000000,?,?,?), ref: 002295F0
SelectObject.GDI32(?,00000000), ref: 00229603
DeleteObject.GDI32 ref: 00229616
StrokePath.GDI32(?), ref: 00229631

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cfc2c73a7e3a6d843aabe25e7faf778942eba344992c9b7f16dd7ad7355bc88f
Instruction ID: 49bab884c6149a1431e4f22809f08857a8115d952b1e349a4e8e645b7da67da3
Opcode Fuzzy Hash: cfc2c73a7e3a6d843aabe25e7faf778942eba344992c9b7f16dd7ad7355bc88f
Instruction Fuzzy Hash: 8AF03C30055285EBDB125FA5FD5C7643BA5EB02322F148224F429590F2CB7589B5DF20

Function 00240F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002410F9
__freea.LIBCMT ref: 00241117

Part of subcall function 00241537: _free.LIBCMT ref: 0024154F

Strings

am/pm, xrefs: 0024117A
a/p, xrefs: 002411DE

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: be07bde2548a4ff011a15d1f8f84bdb847936f21e566ce2362e801b5184bc3fe
Instruction ID: e6bed07876e556486b0e5cfd43987b8d988da083d48032861c0ce2a6f30cdb27
Opcode Fuzzy Hash: be07bde2548a4ff011a15d1f8f84bdb847936f21e566ce2362e801b5184bc3fe
Instruction Fuzzy Hash: A3D1F231930207DADB2C9F68C895BFABBB0EF05700F244199E915AB654D3B59DF0CB91

Function 002961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00230242: EnterCriticalSection.KERNEL32(002E070C,002E1884,?,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023024D
Part of subcall function 00230242: LeaveCriticalSection.KERNEL32(002E070C,?,0022198B,002E2518,?,?,?,002112F9,00000000), ref: 0023028A

Part of subcall function 002300A3: __onexit.LIBCMT ref: 002300A9

__Init_thread_footer.LIBCMT ref: 00296238

Part of subcall function 002301F8: EnterCriticalSection.KERNEL32(002E070C,?,?,00228747,002E2514), ref: 00230202
Part of subcall function 002301F8: LeaveCriticalSection.KERNEL32(002E070C,?,00228747,002E2514), ref: 00230235

Part of subcall function 0028359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002835E4
Part of subcall function 0028359C: LoadStringW.USER32(002E2390,?,00000FFF,?), ref: 0028360A

Strings

x#., xrefs: 0029633A
x#., xrefs: 0029636F
x#., xrefs: 00296353

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#.$x#.$x#.
API String ID: 1072379062-2340457610
Opcode ID: a53f35fa292728dfe664963f2ea164a807e4f4cdc3a5c931cb6fb2f506b236ea
Instruction ID: 78aebe95c70378214a905a78c79470944012b544066a2d46b7051d57d5a01348
Opcode Fuzzy Hash: a53f35fa292728dfe664963f2ea164a807e4f4cdc3a5c931cb6fb2f506b236ea
Instruction Fuzzy Hash: 99C17B71A20106AFDF24DF98C894EBEB7F9EF48300F558069E9059B291DB70E965CB90

Function 00248A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00248B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00248B7A
__dosmaperr.LIBCMT ref: 00248B81

Strings

.#, xrefs: 00248A63

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .#
API String ID: 2434981716-197210044
Opcode ID: adcc6fd5105ec10fc55ea8ed203e79b8866256888e351573d7ceaa8d721075c8
Instruction ID: eb4e2219a58afd81e4a1160ce853b91b6da76087db3f5711005ee07970c142b8
Opcode Fuzzy Hash: adcc6fd5105ec10fc55ea8ed203e79b8866256888e351573d7ceaa8d721075c8
Instruction Fuzzy Hash: 05419170634055AFDB289F24DC84A7D7FD5DB45308F288199F884CB542DE71CC638750

Function 00272716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002721D0,?,?,00000034,00000800,?,00000034), ref: 0027B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00272760

Part of subcall function 0027B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0027B3F8

Part of subcall function 0027B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0027B355
Part of subcall function 0027B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00272194,00000034,?,?,00001004,00000000,00000000), ref: 0027B365
Part of subcall function 0027B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00272194,00000034,?,?,00001004,00000000,00000000), ref: 0027B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027281A

Strings

@, xrefs: 00272832

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d445473ab77be2c9d68b511d5444775d815ba461ad48665b718374ad57345d98
Instruction ID: f2d6dbb5d705826bf054d9d827ef521c04f7f312875aa4c09472499e12d2cdd0
Opcode Fuzzy Hash: d445473ab77be2c9d68b511d5444775d815ba461ad48665b718374ad57345d98
Instruction Fuzzy Hash: 12416D72900218AFDB15DFA4CD45BDEBBB8AF05700F108095FA59B7181DB706E99CFA1

Function 0024172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rRFQ_025261-97382.exe,00000104), ref: 00241769
_free.LIBCMT ref: 00241834
_free.LIBCMT ref: 0024183E

Strings

C:\Users\user\Desktop\rRFQ_025261-97382.exe, xrefs: 00241760, 00241767, 00241796, 002417CE

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\rRFQ_025261-97382.exe
API String ID: 2506810119-1059001893
Opcode ID: 512354fcdcbed385e0a16a6e2c1bae81bf96091e981c2713fa29a9522d4acfcb
Instruction ID: 58ce2db1787f190614d8064d9424f3b7ed4bb189c86d81bc9da08e6e46841f83
Opcode Fuzzy Hash: 512354fcdcbed385e0a16a6e2c1bae81bf96091e981c2713fa29a9522d4acfcb
Instruction Fuzzy Hash: 2A31AE71A50258EBDB29DF9ADC85D9EBBFCEB85310B104166F904DB211D7B08EA0CB90

Function 0027C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0027C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0027C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002E1990,01865628), ref: 0027C395

Strings

0, xrefs: 0027C2DF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1d9d6a3f1c86db17cfa1f6a754e7b4b3361b0206c2b53b7739883f5af07ec429
Instruction ID: f0f1941c176447693314a9e84ad6814b584fd381efeae8eb885880c02f288316
Opcode Fuzzy Hash: 1d9d6a3f1c86db17cfa1f6a754e7b4b3361b0206c2b53b7739883f5af07ec429
Instruction Fuzzy Hash: 7541C3712143029FD720DF34D885B5ABBE4AF85320F20C6ADF9A9972D1D770E954CB62

Function 002A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002ACC08,00000000,?,?,?,?), ref: 002A44AA
GetWindowLongW.USER32 ref: 002A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A44D7

Strings

SysTreeView32, xrefs: 002A447C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 65bb59341124ee77542515c5c7c9c4c86c5b9909c99a45179f9b8ec0b1eea7fb
Instruction ID: 5ee0cfac16f5b5d69f87e4cad696e45c333f85de07451b58192a62ec1f02feda
Opcode Fuzzy Hash: 65bb59341124ee77542515c5c7c9c4c86c5b9909c99a45179f9b8ec0b1eea7fb
Instruction Fuzzy Hash: E631A231220606AFDF209F78DC45BDA77A9EB9A334F204725F975921D0DBB0EC609B50

Function 00276E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00276EED
VariantCopyInd.OLEAUT32(?,?), ref: 00276F08
VariantClear.OLEAUT32(?), ref: 00276F12

Strings

*j', xrefs: 00276E8B, 00276E90, 00276EF8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j'
API String ID: 2173805711-4035128418
Opcode ID: 72f3d48d040188f5f133464c7dc1408d8526a9f3cf6101bec31e2bad73743006
Instruction ID: 37e3092a84006c882177a10024da6b6d5bf693d959bb303fdc742eb6fd7fe349
Opcode Fuzzy Hash: 72f3d48d040188f5f133464c7dc1408d8526a9f3cf6101bec31e2bad73743006
Instruction Fuzzy Hash: B931F331624606DFCB05AFA4E85A8BD37B6EF85300B2044A8F8074B6A1CB709D71CFD1

Function 0029304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00293077,?,?), ref: 00293378

inet_addr.WSOCK32(?), ref: 0029307A
_wcslen.LIBCMT ref: 0029309B
htons.WSOCK32(00000000), ref: 00293106

Strings

255.255.255.255, xrefs: 00293095, 0029309A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: aac933c6fa4ae11fd876e1777863d38e0ac0ca3375c11841724349b0fe383da3
Instruction ID: bbe233f8258a73efbfbf7684232196f9288b4e1513d819771c7ef333820608eb
Opcode Fuzzy Hash: aac933c6fa4ae11fd876e1777863d38e0ac0ca3375c11841724349b0fe383da3
Instruction Fuzzy Hash: CD31E7352102029FCF20CF68C485EAA77F0EF15314F248059E9158B3A2DB72EE55CB60

Function 002A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002A471A

Strings

msctls_updown32, xrefs: 002A4684

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 03b203d8f0564ee155109a4fcb61a7e187fb0f3712dffaa16eb1f3dbfbbad178
Instruction ID: 0ceeeef8baf054e57380654d18a48c668f09c14d4417e8c9de8ec48d8a2f1755
Opcode Fuzzy Hash: 03b203d8f0564ee155109a4fcb61a7e187fb0f3712dffaa16eb1f3dbfbbad178
Instruction Fuzzy Hash: 6F2192B5610245AFDB10EF68ECC5DBB77ADEB9B794B140059F9009B261DB70EC21CA60

Function 002795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027961D

Strings

#notrayicon, xrefs: 002795B7
#OnAutoItStartRegister, xrefs: 002795F3
#requireadmin, xrefs: 002795D9

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f113d43a8dadaf0c80bf9b8efd3c0cf33c211c5b4439b41d5f15f5b69b9c7f1d
Instruction ID: 82c868c62029cbee1c9a2d2cd6be53c813667eef8ab1190bb95d84fcef38075c
Opcode Fuzzy Hash: f113d43a8dadaf0c80bf9b8efd3c0cf33c211c5b4439b41d5f15f5b69b9c7f1d
Instruction Fuzzy Hash: 07216B7213432266C331AE259C02FB773EC9FA6300F408025FA4D97041EBB49DF1C691

Function 002A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A3876

Strings

Listbox, xrefs: 002A380F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6b4bbbffdb3558a4dc3a686307bc3be616d8210dc4e40cfe1f55a1b04e739389
Instruction ID: 7659a4dbb32b46b07bdbc3045b6cf126f9b3c8094844d6ef462c457bfef0a46b
Opcode Fuzzy Hash: 6b4bbbffdb3558a4dc3a686307bc3be616d8210dc4e40cfe1f55a1b04e739389
Instruction Fuzzy Hash: 61218072620119BFEB11CF54DC85EAB776EEF8A750F108125F9049B190CA75DC618BA0

Function 002849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00284A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00284A5C
SetErrorMode.KERNEL32(00000000,?,?,002ACC08), ref: 00284AD0

Strings

%lu, xrefs: 00284A6F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7b5b28dda45e5e8bfde57f514ed7a6be98da5128e16f9d04f2be359cfceacea1
Instruction ID: 3ad54d0266552ab6d40ff9743c18ed6a2657171ccef52bfc2a485474aa92eee0
Opcode Fuzzy Hash: 7b5b28dda45e5e8bfde57f514ed7a6be98da5128e16f9d04f2be359cfceacea1
Instruction Fuzzy Hash: 9C318074A10109AFD710EF54C895EAA7BF8EF09308F1480A5E809DB252DB71EE55CFA1

Function 002A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002A4271

Strings

msctls_trackbar32, xrefs: 002A4226

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fd0740b7aedba998bff9345bbcf08f3f51f6433afae27f8c5a4d59826e41f895
Instruction ID: 46bc051ea13b107bb519a64701928c71ac00a5db1ad775c7e6827240279035a8
Opcode Fuzzy Hash: fd0740b7aedba998bff9345bbcf08f3f51f6433afae27f8c5a4d59826e41f895
Instruction Fuzzy Hash: FF110631250248BFEF20AF28CC46FAB3BACEFD6B54F110125FA55E6090DAB1DC619B50

Function 00272F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Part of subcall function 00272DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00272DC5
Part of subcall function 00272DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00272DD6
Part of subcall function 00272DA7: GetCurrentThreadId.KERNEL32 ref: 00272DDD
Part of subcall function 00272DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00272DE4

GetFocus.USER32 ref: 00272F78

Part of subcall function 00272DEE: GetParent.USER32(00000000), ref: 00272DF9

GetClassNameW.USER32(?,?,00000100), ref: 00272FC3
EnumChildWindows.USER32(?,0027303B), ref: 00272FEB

Strings

%s%d, xrefs: 00272FFF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1a22cf7d803faf30868a17284e6822ceb7fdbd4a0a24add7af91981be54b900f
Instruction ID: b63fefb4eaee37e224ae9eead9b836a1e91e6d5c1110a83808c52fb11e3246e9
Opcode Fuzzy Hash: 1a22cf7d803faf30868a17284e6822ceb7fdbd4a0a24add7af91981be54b900f
Instruction Fuzzy Hash: F211E771610205ABCF10BF709C89EFE37AAAF95314F048075F90D9B152DE705A699F60

Function 002A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002A58EE
DrawMenuBar.USER32(?), ref: 002A58FD

Strings

0, xrefs: 002A588F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5c9905abbbbd26cb3f1e82038566800cd4243f39fc70543bf07a912d2a63b053
Instruction ID: 98d950dad6f5c16763e7a7cc62d211411870e4d12efa80967deec69067921d8d
Opcode Fuzzy Hash: 5c9905abbbbd26cb3f1e82038566800cd4243f39fc70543bf07a912d2a63b053
Instruction Fuzzy Hash: 3A013C31520229EFDB519F51E844BABBBB4BF46360F1080A9F849DA151DF708AA49F61

Function 0027007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9ebdfad0e3bbe74691f994936d83b63adcccdb3366aa3cb83b1c8d91c1cbe7
Instruction ID: c346d9361c44aae7431958091c8e9b8ebbf2375764a6b81daef0bca946450632
Opcode Fuzzy Hash: 9e9ebdfad0e3bbe74691f994936d83b63adcccdb3366aa3cb83b1c8d91c1cbe7
Instruction Fuzzy Hash: 8EC15B75A10206EFDB14CFA4C898AAEB7B5FF48304F208598E909EB251D771ED95CB90

Function 0029342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00293459
CoUninitialize.OLE32 ref: 00293463
VariantInit.OLEAUT32(?), ref: 0029346E
VariantClear.OLEAUT32(?), ref: 0029371B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 079046d1bc24f6d949ed5943d3f147fd65feee58cd5847744630f742c93612b6
Instruction ID: 4b89d2bc45158e5b1c454cd391ae42b631f63c2ae6242540a7638727a5742c5a
Opcode Fuzzy Hash: 079046d1bc24f6d949ed5943d3f147fd65feee58cd5847744630f742c93612b6
Instruction Fuzzy Hash: 93A15B75224201AFCB10DF64C485A6AB7E5FF8C714F048859F98A9B362DB30EE51CF91

Function 00270436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002AFC08,?), ref: 002705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002AFC08,?), ref: 00270608
CLSIDFromProgID.OLE32(?,?,00000000,002ACC40,000000FF,?,00000000,00000800,00000000,?,002AFC08,?), ref: 0027062D
_memcmp.LIBVCRUNTIME ref: 0027064E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8ef583254b3d1ba2e71ddb292fdf0ebca2df4c3c6249909920649825b04223a1
Instruction ID: 85ee559146a33c0bcb4a27e1930bc4e3f33e3ef1c18f1f4daa2fea1ba251991d
Opcode Fuzzy Hash: 8ef583254b3d1ba2e71ddb292fdf0ebca2df4c3c6249909920649825b04223a1
Instruction Fuzzy Hash: B9814C71A10109EFCB04DF94C984EEEB7B9FF89315F208158E516AB250DB71AE1ACF60

Function 00251391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002514C0

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e87d9f88960018112ddc17f1d69fe2892c3c53769a1191cd68ece58af055d951
Instruction ID: 336dc055647334309ed15eeaf3a5e3eb7587a142aaa9ef5400b019168f859928
Opcode Fuzzy Hash: e87d9f88960018112ddc17f1d69fe2892c3c53769a1191cd68ece58af055d951
Instruction Fuzzy Hash: 6E418D72A30101ABDB257FFDDC46BBF3AA4EF41371F240226FC18C6192E67488795A65

Function 002A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A62E2
ScreenToClient.USER32(?,?), ref: 002A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002A6382

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d635fea5b6cd1179e7a3117fd176e745021aeec6afef3d1d7afc935a4f9c84f9
Instruction ID: 0ad22df74b0617d6b742db82b5d8cbcbcdd5cd38ea3b809be470e6ecc980543c
Opcode Fuzzy Hash: d635fea5b6cd1179e7a3117fd176e745021aeec6afef3d1d7afc935a4f9c84f9
Instruction Fuzzy Hash: 2F514D7091024AEFCF14DF54D888AAE7BB5EF56760F1481A9F8159B290DB30EDA1CB50

Function 00291AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00291AFD
WSAGetLastError.WSOCK32 ref: 00291B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00291B8A
WSAGetLastError.WSOCK32 ref: 00291B94

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5a70b563631661add13757189467b06279bcc972296b46d1b30372ae6b21e1fc
Instruction ID: 9bdd24caadba5de7755dbd8e99cdfed930c0c27ebfa750c0c4177cc57f6456f7
Opcode Fuzzy Hash: 5a70b563631661add13757189467b06279bcc972296b46d1b30372ae6b21e1fc
Instruction Fuzzy Hash: FA41F5346102016FDB20AF24D88AF6977E5AB54708F54C448F9158F3D3DB72EDA2CB90

Function 0024B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25efbbd5d3c35ddc7675acc22976b1cdf30247c526ab2500a1ec5401c882b639
Instruction ID: ad80f99cf28777a9448e7611c0e7ef0876b1ad216a4b96aca3d91033a03df6c4
Opcode Fuzzy Hash: 25efbbd5d3c35ddc7675acc22976b1cdf30247c526ab2500a1ec5401c882b639
Instruction Fuzzy Hash: 8E411972A20704BFD72A9F38CC45BAABBE9EF88710F10452AF555DB681D771D9318B80

Function 002856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00285783
GetLastError.KERNEL32(?,00000000), ref: 002857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002857FA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 02fe09cbacb66c406d34676f274cdd93a3be85af0e5d0ec0116631f1a6996528
Instruction ID: 60f0671ea9b34198dacc14200f5154b16735213f260a2f2387e98795b358aac7
Opcode Fuzzy Hash: 02fe09cbacb66c406d34676f274cdd93a3be85af0e5d0ec0116631f1a6996528
Instruction Fuzzy Hash: 45411A39610611DFCB11EF15C444A5EBBF2AF99320B198489EC4AAB362CB30FD91CF91

Function 0024D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00236D71,00000000,00000000,002382D9,?,002382D9,?,00000001,00236D71,?,00000001,002382D9,002382D9), ref: 0024D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0024D9AB
__freea.LIBCMT ref: 0024D9B4

Part of subcall function 00243820: RtlAllocateHeap.NTDLL(00000000,?,002E1444,?,0022FDF5,?,?,0021A976,00000010,002E1440,002113FC,?,002113C6,?,00211129), ref: 00243852

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5c94a5bc4ee6dc0fb3f8045e444511e8bd43e3b9dde8295d185651ce0da9db94
Instruction ID: 164aea8961a45094f6269f5b298cebecb6ca2395aa4e61c18173eac02f95a7e6
Opcode Fuzzy Hash: 5c94a5bc4ee6dc0fb3f8045e444511e8bd43e3b9dde8295d185651ce0da9db94
Instruction Fuzzy Hash: E831CD72A2020AABDF28DF64DC85EAE7BA5EB41710F154168FC04D7290EB35DD64CBA0

Function 002A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 002A5352
GetWindowLongW.USER32(?,000000F0), ref: 002A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A53A8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a43fb3e9aba5f74db3aac4dcf5a65eb923ded8488771d314c7e13cf5c80331ff
Instruction ID: b4ea04056a4d3f8bc26e8eadd5875490bf5d568082fcc7a7f636f8c801f1f123
Opcode Fuzzy Hash: a43fb3e9aba5f74db3aac4dcf5a65eb923ded8488771d314c7e13cf5c80331ff
Instruction Fuzzy Hash: 19310430A75A29FFEF349E14DC49BEA7765AB86390F584081FA00961E1CFF099A0DB41

Function 0027AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0027ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0027AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0027AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0027ACC6

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 57506df14775ca2e9cc9e0e8bc6d9dfe0e238d5a672fc18c69d35664d78d8dda
Instruction ID: b6babdd93649e83caeda36b950e372f37cefd22e3a3f54f173075cee44fa2345
Opcode Fuzzy Hash: 57506df14775ca2e9cc9e0e8bc6d9dfe0e238d5a672fc18c69d35664d78d8dda
Instruction Fuzzy Hash: 0131F830A2071A7FEF26CF658809BFE7BA5ABC5330F14C21FE489521D1C77589A58752

Function 002A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002A769A
GetWindowRect.USER32(?,?), ref: 002A7710
PtInRect.USER32(?,?,002A8B89), ref: 002A7720
MessageBeep.USER32(00000000), ref: 002A778C

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 11f46c37c1dcbb5f33ef24b981fdf31ea1d135b7128a542a051315c5e2b72667
Instruction ID: 6866c70756fa8dce8e3c6f17c877fae46070e8f8015324a467ca03c61fa6d9d8
Opcode Fuzzy Hash: 11f46c37c1dcbb5f33ef24b981fdf31ea1d135b7128a542a051315c5e2b72667
Instruction Fuzzy Hash: 1741A938A19255DFCB01CF58DC98EA9B7F4FB4A304F1940A8E8149F261CB30A9A1CF94

Function 002A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A16EB

Part of subcall function 00273A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273A57
Part of subcall function 00273A3D: GetCurrentThreadId.KERNEL32 ref: 00273A5E
Part of subcall function 00273A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002725B3), ref: 00273A65

GetCaretPos.USER32(?), ref: 002A16FF
ClientToScreen.USER32(00000000,?), ref: 002A174C
GetForegroundWindow.USER32 ref: 002A1752

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f165874ea595218e5dfd7026bc4e58ac26c116e037b5779c605eb4dedda78f45
Instruction ID: 28285bc3c313962d6fb64ba13e88fde92f73ed2b104d3fb7ef87effef2077fe9
Opcode Fuzzy Hash: f165874ea595218e5dfd7026bc4e58ac26c116e037b5779c605eb4dedda78f45
Instruction Fuzzy Hash: B0313E75D10249AFC704EFA9C8858EEB7F9EF59304B5080AAE415E7211EB319E55CFA0

Function 0027D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0027D501
Process32FirstW.KERNEL32(00000000,?), ref: 0027D50F
Process32NextW.KERNEL32(00000000,?), ref: 0027D52F
CloseHandle.KERNEL32(00000000), ref: 0027D5DC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bff949479f0b2cbea4e4435933cc59c03d99d3c4575d6e481bcf7a242cc10884
Instruction ID: abb2b818f8819aaf9d5fab4aae4e601b745bdeb950678d6c0ebf3b36626b2c99
Opcode Fuzzy Hash: bff949479f0b2cbea4e4435933cc59c03d99d3c4575d6e481bcf7a242cc10884
Instruction Fuzzy Hash: 4431D171118301AFD300EF54D895AAFBBF8EFA9344F50492DF589831A1EF719998CB92

Function 002A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00229BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00229BB2

GetCursorPos.USER32(?), ref: 002A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00267711,?,?,?,?,?), ref: 002A9016
GetCursorPos.USER32(?), ref: 002A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00267711,?,?,?), ref: 002A9094

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d3ee9716c55e80ef1542155f98474c259592b67585ca08226c73e6068389c208
Instruction ID: 699a54e66c585fdf77d4781c8ca0e644b2f1055f06cd0fb73da3d85cbeda2103
Opcode Fuzzy Hash: d3ee9716c55e80ef1542155f98474c259592b67585ca08226c73e6068389c208
Instruction Fuzzy Hash: 1321A135610018FFDB258F95DC98EFA7BB9EF8A390F144065F9055B261CB3199A0DF60

Function 0027D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002ACB68), ref: 0027D2FB
GetLastError.KERNEL32 ref: 0027D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0027D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002ACB68), ref: 0027D376

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8d099880e283b327158b4dccfc09097ca7585f87dd563a95eee63a7e0c63e9f5
Instruction ID: ab55f4b4d60a8c440cd8977290dda313dd13baf543360b1e8b95bfde79b2cfbf
Opcode Fuzzy Hash: 8d099880e283b327158b4dccfc09097ca7585f87dd563a95eee63a7e0c63e9f5
Instruction Fuzzy Hash: 2A21A3705252029F8710DF24D8858AAB7F4EE56328F208A5DF89DC32A1DB31D956CF93

Function 00271571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00271014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027102A
Part of subcall function 00271014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00271036
Part of subcall function 00271014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271045
Part of subcall function 00271014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027104C
Part of subcall function 00271014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00271062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002715BE
_memcmp.LIBVCRUNTIME ref: 002715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00271617
HeapFree.KERNEL32(00000000), ref: 0027161E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 10854d19091dc087fb44e1e45f25313810e0ee53cb84a4b982c9c550b0d48e82
Instruction ID: 3f92785b570273f4b27568375161e2c308b2f26cf2800de2ba0b626c4ff76133
Opcode Fuzzy Hash: 10854d19091dc087fb44e1e45f25313810e0ee53cb84a4b982c9c550b0d48e82
Instruction Fuzzy Hash: 6221AF71E10109EFDF14DFA8C949BEEB7B8EF44344F188459E449AB241E730AA25DFA0

Function 002A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002A2840

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3323c84c6aca9742a27560757909fe299e61acad48a72bec4b72d256ba865e4f
Instruction ID: fec04a5019117d11558f0cdf24d295a07e1eb3be686916828c37eeab27d2efe4
Opcode Fuzzy Hash: 3323c84c6aca9742a27560757909fe299e61acad48a72bec4b72d256ba865e4f
Instruction Fuzzy Hash: 3721E231214111EFD7149B28CC44FAAB795AF46324F248158F4268B6E2CF75ED96CB90

Function 002778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00278D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0027790A,?,000000FF,?,00278754,00000000,?,0000001C,?,?), ref: 00278D8C
Part of subcall function 00278D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00278DB2
Part of subcall function 00278D7D: lstrcmpiW.KERNEL32(00000000,?,0027790A,?,000000FF,?,00278754,00000000,?,0000001C,?,?), ref: 00278DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00278754,00000000,?,0000001C,?,?,00000000), ref: 00277923
lstrcpyW.KERNEL32(00000000,?), ref: 00277949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00278754,00000000,?,0000001C,?,?,00000000), ref: 00277984

Strings

cdecl, xrefs: 0027797B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 63f7b1e010e5db629a7774a9296b894e562a01376a93c8c13ab8df17e60793e5
Instruction ID: 3dbea55a393e1219d24664ee8a0c6ae552f350584872d13fb9373546d8eeae2c
Opcode Fuzzy Hash: 63f7b1e010e5db629a7774a9296b894e562a01376a93c8c13ab8df17e60793e5
Instruction Fuzzy Hash: 5B11E93A211342EBCB155F38D849D7B77A5FF95350B50802AFA4AC7264EF319C21CB91

Function 002A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002A56BB
_wcslen.LIBCMT ref: 002A56CD
_wcslen.LIBCMT ref: 002A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A5816

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4fc499f5c34cdd3ec0c4a00078afdedee0ede52330867a895c557a5f3fb57df7
Instruction ID: 531c0d1e0e47fd6fc8ccfa1f019729eaa83fb984630af5a122be8ec346b4d9cb
Opcode Fuzzy Hash: 4fc499f5c34cdd3ec0c4a00078afdedee0ede52330867a895c557a5f3fb57df7
Instruction Fuzzy Hash: 0611B17163062AD7DB20DF619C85AEF77ACBF16760F104066F915D6081EFB09AA4CFA0

Function 00271A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00271A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00271A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00271A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00271A8A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ec8ec1b21bfe35e4268e3c490e6f1a8cec44e10390a076d585f8b9ae054ca688
Instruction ID: 6a0a8be1f571fcd89e2e00c3d6e63b1e4aeddef1c474112438f66bf4e95051c7
Opcode Fuzzy Hash: ec8ec1b21bfe35e4268e3c490e6f1a8cec44e10390a076d585f8b9ae054ca688
Instruction Fuzzy Hash: E211393AD01219FFEB10DBA8CD85FADBB78EF08750F204091EA04B7294D6716E60DB94

Function 0027E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0027E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0027E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0027E24D

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 190a7c2de8ee4b471ed528ed91b257ce6b2e4509ffcd48b4a39d16d75b2b87c9
Instruction ID: 17ea7e7469346c9a6d9fd8e8dc428a28e9c2290c9285dcd4027262857f03e136
Opcode Fuzzy Hash: 190a7c2de8ee4b471ed528ed91b257ce6b2e4509ffcd48b4a39d16d75b2b87c9
Instruction Fuzzy Hash: 45112B72A14254BBCB019FA8BC4DA9F7FAC9B46320F1182A5FC18D7295DAB0CD1087B0

Function 0023D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0023CFF9,00000000,00000004,00000000), ref: 0023D218
GetLastError.KERNEL32 ref: 0023D224
__dosmaperr.LIBCMT ref: 0023D22B
ResumeThread.KERNEL32(00000000), ref: 0023D249

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b7c530cc40451db1f43f1f93f3775c0470dbaf6145bcb84fcc57621928bec3e2
Instruction ID: 3545bb1817adb169f51037035a71b588a9f808ab59f7d56f4e9a13f5b342441c
Opcode Fuzzy Hash: b7c530cc40451db1f43f1f93f3775c0470dbaf6145bcb84fcc57621928bec3e2
Instruction Fuzzy Hash: D90126B2824204BBCB105FA5FC09BAB7A68DF82730F200219FC24921D1CF70C820CAA0

Function 0021600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0021604C
GetStockObject.GDI32(00000011), ref: 00216060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 685e88f92739e1f1e4121a96f3a2f6d3686b71bfead3d8b2893aa9bfd471d7c0
Instruction ID: 224e3ad8ad06bd4ab245b75aa59b63805986bee9a33935a3550100d7540d02ca
Opcode Fuzzy Hash: 685e88f92739e1f1e4121a96f3a2f6d3686b71bfead3d8b2893aa9bfd471d7c0
Instruction Fuzzy Hash: 7D116D72511549BFEF129FA49C48EEEBBADFF1D3A4F140215FA1452110DB329CA0DBA0

Function 00233B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00233B56

Part of subcall function 00233AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00233AD2
Part of subcall function 00233AA3: ___AdjustPointer.LIBCMT ref: 00233AED

_UnwindNestedFrames.LIBCMT ref: 00233B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00233B7C
CallCatchBlock.LIBVCRUNTIME ref: 00233BA4

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: b23a545c2edd75e6b185bb5a05029c5232675a4db930ddadfa1c11480a5ee505
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0F0129B2110149BBDF12AE95CC42EEB7B6AEF48758F044054FE4866121C736EA71DFA0

Function 00243073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002113C6,00000000,00000000,?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue), ref: 002430A5
GetLastError.KERNEL32(?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000,00000364,?,00242E46), ref: 002430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0024301A,002113C6,00000000,00000000,00000000,?,0024328B,00000006,FlsSetValue,002B2290,FlsSetValue,00000000), ref: 002430BF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba8931e33bb0e0d6941f9da7ca84bff0acbd3ed674a8fb31a22c130d2a2efae0
Instruction ID: fe55c722081547982f167a622ca8031f10c3714c1f4c8e0f611ff8b47e6c714c
Opcode Fuzzy Hash: ba8931e33bb0e0d6941f9da7ca84bff0acbd3ed674a8fb31a22c130d2a2efae0
Instruction Fuzzy Hash: 3001F732331223ABCB35CF78AC88A577BD8AF46B61B200720F905E7140CB21D925C6E0

Function 00277464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0027747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00277497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002774CA

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e8e90c4f5622c1630e3c542c944f39924092706d12044a3dbdff9a4f064bdb12
Instruction ID: 750df4380a3ec1b5bedb82018cf75ec99638d1a66c35d3aac6d4fc4fe04efd4f
Opcode Fuzzy Hash: e8e90c4f5622c1630e3c542c944f39924092706d12044a3dbdff9a4f064bdb12
Instruction Fuzzy Hash: D911A1B52153119BF7208F24EC18F927FFCEB04B00F10C569A61AD6151DBB0E914DB60

Function 0027B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027ACD3,?,00008000), ref: 0027B126

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e6dd250862cbe06e7d074bd696c359946453dcdd4389e0d8429597e58fe12581
Instruction ID: 7757e93b4e5a3666749fac113ea7d748e62efd9399d0f2d88764ba23992776c4
Opcode Fuzzy Hash: e6dd250862cbe06e7d074bd696c359946453dcdd4389e0d8429597e58fe12581
Instruction Fuzzy Hash: A5118B30E2152DE7CF01AFE4E9687EEBB78FF0A311F108096D949B2181CB308661CB51

Function 00272DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00272DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00272DD6
GetCurrentThreadId.KERNEL32 ref: 00272DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00272DE4

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: db7da109d7d4073431fd3f56c9c6c765040940980c894459acec21da27cdddb2
Instruction ID: e0469c0acad6397cbd98ac743fbf0bf852d2c446e38640c296484e932ac6b361
Opcode Fuzzy Hash: db7da109d7d4073431fd3f56c9c6c765040940980c894459acec21da27cdddb2
Instruction Fuzzy Hash: 70E06D71611224BBD7205F63AC0DEEB3E6CEB83FA1F104015F109D10809AA08844C6B0

Function 002A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00229639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00229693
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296A2
Part of subcall function 00229639: BeginPath.GDI32(?), ref: 002296B9
Part of subcall function 00229639: SelectObject.GDI32(?,00000000), ref: 002296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002A8887
LineTo.GDI32(?,?,?), ref: 002A8894
EndPath.GDI32(?), ref: 002A88A4
StrokePath.GDI32(?), ref: 002A88B2

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9ff9dc3af0a0451be90c3fc35ee1900a17c76122d06aa5793bbf5f8e52af2286
Instruction ID: 0ca67af6e67df3d4525cbe64481d454bc40dc61bf5f3dcc853598acf05656f56
Opcode Fuzzy Hash: 9ff9dc3af0a0451be90c3fc35ee1900a17c76122d06aa5793bbf5f8e52af2286
Instruction Fuzzy Hash: 2EF03A36055299BBDB125F94BC0DFCE3A59AF06310F548000FA11650E2CF795561CFA9

Function 002298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002298CC
SetTextColor.GDI32(?,?), ref: 002298D6
SetBkMode.GDI32(?,00000001), ref: 002298E9
GetStockObject.GDI32(00000005), ref: 002298F1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a41f488b54878628067af8e209a1d74fd6bc14605d1cd73bea3a9e1c29525f72
Instruction ID: 29392e2ffa6e30d6fd419b284e4e668d3e40446c834ca1df97475f3033ee5ae5
Opcode Fuzzy Hash: a41f488b54878628067af8e209a1d74fd6bc14605d1cd73bea3a9e1c29525f72
Instruction Fuzzy Hash: C0E06D31244280ABDB215F74BC0DBE83F60EB13336F248219F6FA581E1CB7246949B10

Function 0027162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00271634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002711D9), ref: 0027163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002711D9), ref: 00271648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002711D9), ref: 0027164F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a06dcd641581b9d5678093020d52b9b46879f30bb5c2dc13f193401b28dba1a3
Instruction ID: a3f47065ecc10556b1d8b1ebbbf243ee6a27c4a0420533b336d9271dc871fbc4
Opcode Fuzzy Hash: a06dcd641581b9d5678093020d52b9b46879f30bb5c2dc13f193401b28dba1a3
Instruction Fuzzy Hash: 85E08631601221DBD7201FA4BD0DB473B7CAF46791F248848F745C9080DE344550C750

Function 0026D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026D858
GetDC.USER32(00000000), ref: 0026D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026D882
ReleaseDC.USER32(?), ref: 0026D8A3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d2568f800c817743f2c49863fa790cb1e53d77a3160b920179b858817506811a
Instruction ID: 9a4ad128913ea096098d1a23f71dbe83bec56bb42e5e5ef5b8053bacadd2a8c0
Opcode Fuzzy Hash: d2568f800c817743f2c49863fa790cb1e53d77a3160b920179b858817506811a
Instruction Fuzzy Hash: DEE01AB4810204EFCB419FA0E80C66DBBF5FB49710F208049E816E7360CB788952AF40

Function 0026D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026D86C
GetDC.USER32(00000000), ref: 0026D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026D882
ReleaseDC.USER32(?), ref: 0026D8A3

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b7bffb8014a5001b017f421375d96555c00b170823e83da1b4be381922457499
Instruction ID: c1bb98e2b451ce756b70a050111000364f7dfba54ba894d34888b975f30f35f5
Opcode Fuzzy Hash: b7bffb8014a5001b017f421375d96555c00b170823e83da1b4be381922457499
Instruction Fuzzy Hash: 82E01A74810204EFCB419FA0E80C66DBBF5BB48710B208049E916E7360CB3899119F40

Function 00284D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00217620: _wcslen.LIBCMT ref: 00217625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00284ED4

Strings

LPT, xrefs: 00284DFB
*, xrefs: 00284E10

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 98b1df9e35ea01eace739a38a053b9cc9c0231a439cb8663954817f936ab4dbb
Instruction ID: 115cbfbd91a2dc3774f32ad1eea7dc25c5652b9176d981bdf36bd5ef2e69de49
Opcode Fuzzy Hash: 98b1df9e35ea01eace739a38a053b9cc9c0231a439cb8663954817f936ab4dbb
Instruction Fuzzy Hash: 12917179A112069FCB14EF54C484EA9BBF1BF58304F14809DE90A5F7A2C771ED95CB90

Function 0023E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0023E30D

Strings

pow, xrefs: 0023E2E5, 0023E302

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0bfcab42c868d04d89ce8eaff850452e4a82930aa0c116f7fb6aec99e8752c0
Instruction ID: 1a89ae4386f1f12b5f9c97c964d39cb9d408c8fa48fb2aed909ce2929dfdb984
Opcode Fuzzy Hash: c0bfcab42c868d04d89ce8eaff850452e4a82930aa0c116f7fb6aec99e8752c0
Instruction Fuzzy Hash: 33514DA1E3C203D6CF197F24D9453BA3BA4EF40740F354A99E4B5422E9DB348CB99A46

Function 00297771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0026569E,00000000,?,002ACC08,?,00000000,00000000), ref: 002978DD

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

CharUpperBuffW.USER32(0026569E,00000000,?,002ACC08,00000000,?,00000000,00000000), ref: 0029783B

Strings

<s-, xrefs: 002977C8

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s-
API String ID: 3544283678-2482877350
Opcode ID: c2d6170445499c598a0cbb01bc0ec5e1bfae2bb59e494da1cf781ee9c92251b2
Instruction ID: 13b679b5ceff4d30093409969121c356a92fc524aca00d95ea87dc1f22c39d1c
Opcode Fuzzy Hash: c2d6170445499c598a0cbb01bc0ec5e1bfae2bb59e494da1cf781ee9c92251b2
Instruction Fuzzy Hash: 6E614C72934119AACF04EFE4CC95DFDB3B8FF24700B544126E542A7191EF70AAA5DBA0

Function 0022E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0022E1B1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a9101fbb0714d5b0da4515e4879beb8ff67734739ffd66eba7b6f9579bca2681
Instruction ID: a7b9dc70bc3c7eefad5e783c49af0ea6cbb24ba07e0eb4a2a5d9e837508ef0b8
Opcode Fuzzy Hash: a9101fbb0714d5b0da4515e4879beb8ff67734739ffd66eba7b6f9579bca2681
Instruction Fuzzy Hash: 55517838520203EFDF15DF68D041AFABBA8EF25310F254015EC929B2C0D6309DA2DBA0

Function 0022F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0022F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0022F2BB

Strings

@, xrefs: 0022F2AF

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fce487ff10e368480a6ba6c85e53d55e97f90960c64e97cb544d69c59a618c32
Instruction ID: 7b4a8fa14cf451162002f107dc870614437be7047fc9b8d967700ce3e4cb6792
Opcode Fuzzy Hash: fce487ff10e368480a6ba6c85e53d55e97f90960c64e97cb544d69c59a618c32
Instruction Fuzzy Hash: EF5134714187449BD320AF10E88ABAFBBF8FB95300F91885DF199421A5EB318579CB66

Function 00295745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002957E0
_wcslen.LIBCMT ref: 002957EC

Strings

CALLARGARRAY, xrefs: 002957E6, 002957EB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f04299b54e6df9164162c199dbad074113f1e9ccd36622dfe8ec999c9f37831e
Instruction ID: 46d13a8614d1e4b70fec1be97051303b6dc93f0b4fcbd63d775a5173d55fa312
Opcode Fuzzy Hash: f04299b54e6df9164162c199dbad074113f1e9ccd36622dfe8ec999c9f37831e
Instruction Fuzzy Hash: 3741AE71A2021A9FCF15DFA8C8859EEBBF5FF59320F108069E505A7251EB709DA1CF90

Function 0028D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0028D13A

Strings

|, xrefs: 0028D10B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 7d48d1c3ee618d4ed50fe369dcebb51037bf7cbbbf243c0e235adbf59b621ec5
Instruction ID: 04888f2f5b196ccb783be25881505da79e6657b1ce60cf47f0888a93fa324b13
Opcode Fuzzy Hash: 7d48d1c3ee618d4ed50fe369dcebb51037bf7cbbbf243c0e235adbf59b621ec5
Instruction Fuzzy Hash: 63311B75D21109ABCF15EFA4CC89EEE7FB9FF14300F100119E819A61A5DB31A966DF50

Function 002A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002A365C

Strings

static, xrefs: 002A35BC

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: af012bddeb747de0d5520dbe328774c80f555d478aae99747ee29fa8f51cbca8
Instruction ID: 9d65892481c90921ba6381abed4eaab83eb1627e6dbf20c54046d0b24ffeb790
Opcode Fuzzy Hash: af012bddeb747de0d5520dbe328774c80f555d478aae99747ee29fa8f51cbca8
Instruction Fuzzy Hash: C8318C71520205ABDB10DF68DC80EFB73ADFF89724F108619F8A597290DA31ADA19B64

Function 002A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A4634

Strings

', xrefs: 002A458E

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 316d84adafb31924a078e381f3059d900537ba4715654f42c8d31e46ccafa1b9
Instruction ID: eefaed8118d88fab61ea92c3efcf491a69c54d9fc3071c95109e59968292843d
Opcode Fuzzy Hash: 316d84adafb31924a078e381f3059d900537ba4715654f42c8d31e46ccafa1b9
Instruction Fuzzy Hash: 1E312874A1120A9FDB14DF69C980BDA7BB9FF9A700F50406AE904AB341DBB0E951CF90

Function 00213923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002533A2

Part of subcall function 00216B57: _wcslen.LIBCMT ref: 00216B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00213A04

Strings

Line: , xrefs: 002533EB

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 463deef340f60c301eb302650b0512e0370aca49cb4dfb46320fb6a0d2e61f36
Instruction ID: a7084db38a39b34c6b0b6184a99146213df29897856c01a05ba43bf50eb35fcb
Opcode Fuzzy Hash: 463deef340f60c301eb302650b0512e0370aca49cb4dfb46320fb6a0d2e61f36
Instruction Fuzzy Hash: 9831C371468344AAC321EF20EC49BEFB7D8AF54710F10456AF59993191DB709AA8CBC6

Function 002A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A3287

Strings

Combobox, xrefs: 002A3249

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 545327e51a7e00eb876a9466c4238e3c384ec104cdbe4512a86093edf234af43
Instruction ID: 67fb3b6b60cf525607308e1efbaed461e440a90ed6e43ebca6844c865bc1871b
Opcode Fuzzy Hash: 545327e51a7e00eb876a9466c4238e3c384ec104cdbe4512a86093edf234af43
Instruction Fuzzy Hash: B411E6713202097FFF15DE54DC84FBB375AEB96364F100125F91897290DA319D618B60

Function 002A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0021600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0021604C
Part of subcall function 0021600E: GetStockObject.GDI32(00000011), ref: 00216060
Part of subcall function 0021600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021606A

GetWindowRect.USER32(00000000,?), ref: 002A377A
GetSysColor.USER32(00000012), ref: 002A3794

Strings

static, xrefs: 002A3757

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b17a1c4950ccc0fdd65ac2dd8f2dbea1d7e86a2270d75c0808e3ce9ff8ae0fe1
Instruction ID: a759fe289d60192f2e17b62ebc58c5160a04f470e99f4f80c4bced2c959aa19b
Opcode Fuzzy Hash: b17a1c4950ccc0fdd65ac2dd8f2dbea1d7e86a2270d75c0808e3ce9ff8ae0fe1
Instruction Fuzzy Hash: 07112CB262020AAFDB00DFA8DC45EFABBF8FB09354F104515F955E2250DB75E8619B50

Function 0028CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0028CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0028CDA6

Strings

<local>, xrefs: 0028CD66

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d47f515d34048b3344f1c2047049ac95a8ad7ae117f8fefb2bf4128feb3c933e
Instruction ID: 07f9c7825bafc4e841f3cb60f3e98c71dc3f6337635bcb736988b7179ef52d44
Opcode Fuzzy Hash: d47f515d34048b3344f1c2047049ac95a8ad7ae117f8fefb2bf4128feb3c933e
Instruction Fuzzy Hash: 3B11A7751266327AD7286B668C49EE7BE5CEB127A4F204236B109831C0D7705861D7F0

Function 002A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A34BA

Strings

edit, xrefs: 002A348F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e8fe61d51ad981c00e44ce84b709bc31394d69d456c2ac8b227986f2a09ad162
Instruction ID: 29e8767cd0bd34433804724bce6002275e93bec5f12efff46ca11b0f5ef1b79d
Opcode Fuzzy Hash: e8fe61d51ad981c00e44ce84b709bc31394d69d456c2ac8b227986f2a09ad162
Instruction Fuzzy Hash: 5D119171520209AFEB11CE64EC44AFB376AEF1A774F604324F965971D0CB71DCA19B50

Function 00276C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

CharUpperBuffW.USER32(?,?,?), ref: 00276CB6
_wcslen.LIBCMT ref: 00276CC2

Strings

STOP, xrefs: 00276CBC, 00276CC1

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4809b2d6766b8df8f1593c3f58db2df86958e97a04002d72ad2f5244cef82c1b
Instruction ID: 82f2ebb9a87cfd71c9f99bf2046d8a80390d76bcd1e33e82f302d00e022dd555
Opcode Fuzzy Hash: 4809b2d6766b8df8f1593c3f58db2df86958e97a04002d72ad2f5244cef82c1b
Instruction Fuzzy Hash: F50104326309278BCB21AFFDDC889BF33A4EA65710B104539E85696190EB31D960CA50

Function 00271BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00271C46

Strings

ComboBox, xrefs: 00271BE5
ListBox, xrefs: 00271C10

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b43af95c78c74022c30ff397a539199e9e135969e2afc2bdb4920bb7817837f7
Instruction ID: c510bcfc564e13238b6fd40e86412e66e1e58f0b80e1c9603edc11467e74b171
Opcode Fuzzy Hash: b43af95c78c74022c30ff397a539199e9e135969e2afc2bdb4920bb7817837f7
Instruction Fuzzy Hash: 3801FC7166011467CB15EBD4C9529FF73E89F16340F20401FE80A672C1EA709E789AB2

Function 00271C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Part of subcall function 00273CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00273CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00271CC8

Strings

ComboBox, xrefs: 00271C69
ListBox, xrefs: 00271C94

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 04db3c7c5ad57a6860cacdf6db53f577a4953c65da9a69ed3575be9a9ebe4902
Instruction ID: 5b5255f2e8fe57811a7a73e56fc5e66352ce66257861582cd193ca1ae167a075
Opcode Fuzzy Hash: 04db3c7c5ad57a6860cacdf6db53f577a4953c65da9a69ed3575be9a9ebe4902
Instruction Fuzzy Hash: E001DB7166111567CB15EBD5CA12AFE73EC9F22340F14401BB84673281EA709F78DAB2

Function 0022A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022A529

Part of subcall function 00219CB3: _wcslen.LIBCMT ref: 00219CBD

Strings

3y&, xrefs: 0022A545, 0022A54D, 0022A552
,%., xrefs: 0022A509

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%.$3y&
API String ID: 2551934079-2574036372
Opcode ID: d31d2c9882f7f5317de6a5a909dc560a486b2da4a5ae8130e051bb7357ee2f2e
Instruction ID: b5981f9280d3bb059b276d62751f74cc193f2ad0f1ca1e2f8899103f62e710dc
Opcode Fuzzy Hash: d31d2c9882f7f5317de6a5a909dc560a486b2da4a5ae8130e051bb7357ee2f2e
Instruction Fuzzy Hash: 5B012B32B70660A7C504F7A8F9ABA9E73A89B06720FD00025F9065B5C2DE509DB58ED7

Function 002A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E3018,002E305C), ref: 002A81BF
CloseHandle.KERNEL32 ref: 002A81D1

Strings

\0., xrefs: 002A818A

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0.
API String ID: 3712363035-2574726650
Opcode ID: 1eba2f4db613bc2efccf379f8b2330686bef87274970a2df07e04bf2e0ee13bb
Instruction ID: a70bafd2a686982634856406212d18bd49f8590b8b904243fdb2005015d7b22b
Opcode Fuzzy Hash: 1eba2f4db613bc2efccf379f8b2330686bef87274970a2df07e04bf2e0ee13bb
Instruction Fuzzy Hash: D6F054F1690340BBE720E761FC4DFB73A5CDB05752F000460BB08DA1A1DA758A1486B4

Function 0029747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00297493
_wcslen.LIBCMT ref: 002974B9

Strings

3, 3, 16, 1, xrefs: 00297483

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a265634f4efd2ea47e0b3750de250e226ba8820302485d495857ca8d4418898b
Instruction ID: 43ac95061c1755017ec26ce0a497ed78ea21bf0572ed6e81f728c9c16007f18e
Opcode Fuzzy Hash: a265634f4efd2ea47e0b3750de250e226ba8820302485d495857ca8d4418898b
Instruction Fuzzy Hash: 39E0AB462342201083302239DCC1B7F4799CFC9760B10282BF880C2267EA888CB183A0

Function 00270B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00270B23

Strings

Error allocating memory., xrefs: 00270B1C
AutoIt, xrefs: 00270B17

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1e74ef42bebba160d5351fcc981dc680a62d63bd230b593fffcb0b1b5cfa55c0
Instruction ID: 6713823ae5891aa4af603039c28c2dee7702ca7c3c9bcea453602a9e21dbc45d
Opcode Fuzzy Hash: 1e74ef42bebba160d5351fcc981dc680a62d63bd230b593fffcb0b1b5cfa55c0
Instruction Fuzzy Hash: 51E0D83126432837D21437947D07FC9BA848F06B20F200467F748555C38FE168B04AE9

Function 00230D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0022F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00230D71,?,?,?,0021100A), ref: 0022F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0021100A), ref: 00230D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0021100A), ref: 00230D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00230D7F

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2b84931a86c0d2bf643ff7b6eba004f69637a9a134e2c05225e3a2bbed67dd2d
Instruction ID: 5006ee3ab72cb96fe0e868afa226845d275fccef98f07e01696125683ca942c3
Opcode Fuzzy Hash: 2b84931a86c0d2bf643ff7b6eba004f69637a9a134e2c05225e3a2bbed67dd2d
Instruction Fuzzy Hash: FBE06DB02103518BE3609FB8E698746BBF0EB05740F00496DE882C6655DBB4E4948BA1

Function 0022E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022E3D5

Strings

8%., xrefs: 0022E3CA
0%., xrefs: 0022E3B5

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%.$8%.
API String ID: 1385522511-764554917
Opcode ID: 3acd96835867d41815b38a2163ee6d8c84a9eb965d4b0295492a838fb2fae095
Instruction ID: f9b9ed2c95660304e8cec4d825218d3a000beea2eadda493d9e8aa2b5022d600
Opcode Fuzzy Hash: 3acd96835867d41815b38a2163ee6d8c84a9eb965d4b0295492a838fb2fae095
Instruction Fuzzy Hash: 9AE020314B0B74DBCE0CDB58B7E899C3359AB05321BD101E4F0034B1D5DBB018659A54

Function 0026D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0026D220

Strings

X64, xrefs: 0026D2A8
%.3d, xrefs: 0026D22B

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 83d78da49dcd8e8ed029355484adfb82e24f02ff2c7ad84341bcf9ab70d0c133
Instruction ID: c1ae8be1c40b5d1c916e888fd5e42a8f032e741803ab5c14d82c0644f81cfa1b
Opcode Fuzzy Hash: 83d78da49dcd8e8ed029355484adfb82e24f02ff2c7ad84341bcf9ab70d0c133
Instruction Fuzzy Hash: 2BD012B1D3811CFACB9096D0DC599B9B37CAB09301F608462FC0691041E7A8D5A86B61

Function 002A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A233F

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Strings

Shell_TrayWnd, xrefs: 002A2325

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e2aa9293dffdfc807abeca247c0e345c877380f4771d4bb584b91baa3fb67b48
Instruction ID: 00c339d531a2169e2cf376124d7306408241b75700762e7802a0423883af0e86
Opcode Fuzzy Hash: e2aa9293dffdfc807abeca247c0e345c877380f4771d4bb584b91baa3fb67b48
Instruction Fuzzy Hash: AFD022323E0300B7E668B730EC0FFC6BA089B02B00F1049027349AA1D0CCF0A800CE10

Function 002A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A236C
PostMessageW.USER32(00000000), ref: 002A2373

Part of subcall function 0027E97B: Sleep.KERNEL32 ref: 0027E9F3

Strings

Shell_TrayWnd, xrefs: 002A2365

Memory Dump Source

Source File: 00000000.00000002.1430282686.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000000.00000002.1430260572.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430334632.00000000002D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430378554.00000000002DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.00000000002E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1430396535.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210000_rRFQ_025261-97382.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5a76260697e5a9c19d8a621ded75206b817a1b2064daecfcd8dc57d0e9021da0
Instruction ID: d2af451661cf0b0389f17c839f9b5fb4887a773f5f62d3aab95d053cc61c51dd
Opcode Fuzzy Hash: 5a76260697e5a9c19d8a621ded75206b817a1b2064daecfcd8dc57d0e9021da0
Instruction Fuzzy Hash: 9ED0A9323D0300BBE668A730AC0FFC6A6089B06B00F1049027345AA1D0C8B0A8008A14

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rRFQ_025261-97382.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_5bfa5ea0315cdaca1a7b99df22c7fbd6fc2a1cb_d4dab669_9df69206-636c-4235-adee-284acc9437f2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC640.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC799.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7B9.tmp.xml

C:\Users\user\AppData\Local\Temp\autA153.tmp

C:\Users\user\AppData\Local\Temp\autA193.tmp

C:\Users\user\AppData\Local\Temp\brontothere

C:\Users\user\AppData\Local\Temp\trickstress

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
rRFQ_025261-97382.exe

Function 002142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 002142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00252BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0027DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 00212CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00248D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 0025065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0021344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00212B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00213170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00212C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00282947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00245AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Function 00213B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre