Edit tour

Windows Analysis Report
6YmCyBvw73.exe

Overview

General Information

Sample name:	6YmCyBvw73.exe renamed because original name is a hash value
Original sample name:	b77405e92a8557ab11d1d6ed25d6b390.exe
Analysis ID:	1482750
MD5:	b77405e92a8557ab11d1d6ed25d6b390
SHA1:	2e99877c99419d903160b772d68425e14dbb1566
SHA256:	35e708ca54de7e0f81312a42ab72744b5ad5d1a6a3d2145104c154a3fb74c6a7
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

6YmCyBvw73.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\6YmCyBvw73.exe" MD5: B77405E92A8557AB11D1D6ED25D6B390)

svchost.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\6YmCyBvw73.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b880:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x143cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ec13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17762:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16962:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ec13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17762:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\6YmCyBvw73.exe", CommandLine: "C:\Users\user\Desktop\6YmCyBvw73.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\6YmCyBvw73.exe", ParentImage: C:\Users\user\Desktop\6YmCyBvw73.exe, ParentProcessId: 6532, ParentProcessName: 6YmCyBvw73.exe, ProcessCommandLine: "C:\Users\user\Desktop\6YmCyBvw73.exe", ProcessId: 6668, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\6YmCyBvw73.exe", CommandLine: "C:\Users\user\Desktop\6YmCyBvw73.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\6YmCyBvw73.exe", ParentImage: C:\Users\user\Desktop\6YmCyBvw73.exe, ParentProcessId: 6532, ParentProcessName: 6YmCyBvw73.exe, ProcessCommandLine: "C:\Users\user\Desktop\6YmCyBvw73.exe", ProcessId: 6668, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T03:17:08.279454+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T03:17:46.045753+0200
SID:	2022930
Source Port:	443
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6YmCyBvw73.exe	Virustotal: Detection: 64%			Perma Link
Source: 6YmCyBvw73.exe	ReversingLabs: Detection: 62%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 6YmCyBvw73.exe

Joe Sandbox ML: detected

Source: 6YmCyBvw73.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 6YmCyBvw73.exe, 00000000.00000003.1357312549.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, 6YmCyBvw73.exe, 00000000.00000003.1355866335.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1766376607.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585615124.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1766376607.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1578087190.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6YmCyBvw73.exe, 00000000.00000003.1357312549.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, 6YmCyBvw73.exe, 00000000.00000003.1355866335.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1766376607.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585615124.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1766376607.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1578087190.0000000002F00000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D6DBBE
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D3C2A2 FindFirstFileExW,	0_2_00D3C2A2
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D768EE FindFirstFileW,FindClose,	0_2_00D768EE
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D7698F
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D6D076
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D6D3A9
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D79642
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D7979D
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D79B2B
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D75C97

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D7CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00D7CE44

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D7EAFF

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D7ED6A

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

0_2_00D7EAFF

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D6AA57

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D99576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: 6YmCyBvw73.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 6YmCyBvw73.exe, 00000000.00000000.1343742876.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4ed80887-9
Source: 6YmCyBvw73.exe, 00000000.00000000.1343742876.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_79b962d6-6
Source: 6YmCyBvw73.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4f8d89d8-e
Source: 6YmCyBvw73.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6b8f5f12-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042BF03 NtClose,	2_2_0042BF03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B60 NtClose,LdrInitializeThunk,	2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,	2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374340 NtSetContextThread,	2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374650 NtSuspendThread,	2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BA0 NtEnumerateValueKey,	2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B80 NtQueryInformationFile,	2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BF0 NtAllocateVirtualMemory,	2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BE0 NtQueryValueKey,	2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AB0 NtWaitForSingleObject,	2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AF0 NtWriteFile,	2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AD0 NtReadFile,	2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F30 NtCreateSection,	2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F60 NtCreateProcessEx,	2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FB0 NtResumeThread,	2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FA0 NtQuerySection,	2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F90 NtProtectVirtualMemory,	2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FE0 NtCreateFile,	2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E30 NtWriteVirtualMemory,	2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EA0 NtAdjustPrivilegesToken,	2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E80 NtReadVirtualMemory,	2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EE0 NtQueueApcThread,	2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D30 NtUnmapViewOfSection,	2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D10 NtMapViewOfSection,	2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D00 NtSetInformationFile,	2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DB0 NtEnumerateKey,	2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DD0 NtDelayExecution,	2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C00 NtQueryInformationProcess,	2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C70 NtFreeVirtualMemory,	2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C60 NtCreateKey,	2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CA0 NtQueryInformationToken,	2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CF0 NtOpenProcess,	2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CC0 NtQueryVirtualMemory,	2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373010 NtOpenDirectoryObject,	2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373090 NtSetValueKey,	2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033739B0 NtGetContextThread,	2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D10 NtOpenProcessToken,	2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D70 NtOpenThread,	2_2_03373D70

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D6D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D6D5EB

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D61201

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D6E8F6

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D72046	0_2_00D72046
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D08060	0_2_00D08060
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D68298	0_2_00D68298
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D3E4FF	0_2_00D3E4FF
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D3676B	0_2_00D3676B
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D94873	0_2_00D94873
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D0CAF0	0_2_00D0CAF0
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D2CAA0	0_2_00D2CAA0
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D1CC39	0_2_00D1CC39
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D36DD9	0_2_00D36DD9
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D091C0	0_2_00D091C0
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D1B119	0_2_00D1B119
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D21394	0_2_00D21394
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D21706	0_2_00D21706
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D2781B	0_2_00D2781B
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D219B0	0_2_00D219B0
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D1997D	0_2_00D1997D
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D07920	0_2_00D07920
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D27A4A	0_2_00D27A4A
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D27CA7	0_2_00D27CA7
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D21C77	0_2_00D21C77
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D39EEE	0_2_00D39EEE
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D8BE44	0_2_00D8BE44
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D21F32	0_2_00D21F32
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_038F3610	0_2_038F3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403120	2_2_00403120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401270	2_2_00401270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416ACE	2_2_00416ACE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416AD3	2_2_00416AD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023FC	2_2_004023FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402400	2_2_00402400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FD53	2_2_0040FD53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E503	2_2_0042E503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404535	2_2_00404535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026F0	2_2_004026F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF73	2_2_0040FF73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DFEA	2_2_0040DFEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DFF3	2_2_0040DFF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034003E6	2_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C02C0	2_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330100	2_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F41A2	2_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034001AA	2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F81CC	2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364750	2_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C6E0	2_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03400591	2_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4420	2_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F2446	2_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EE4F6	2_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F6BD7	2_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A9A6	2_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334A840	2_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033268B8	2_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E8F0	2_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360F30	2_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E2F30	2_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03382F28	2_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4F40	2_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BEFA0	2_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334CFE0	2_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332FC8	2_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEE26	2_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340E59	2_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352E90	2_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FCE93	2_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEEDB	2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DCD1F	2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334AD00	2_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03358DBF	2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333ADE0	2_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340C00	2_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0CB5	2_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330CF2	2_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F132D	2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332D34C	2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0338739A	2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033452A0	2_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E12ED	2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B2C0	2_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340B16B	2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332F172	2_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337516C	2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334B1B0	2_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F70E9	2_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF0E0	2_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EF0CC	2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033470C0	2_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF7B0	2_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385630	2_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F16CC	2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7571	2_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034095C3	2_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DD5B0	2_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF43F	2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03331460	2_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFB76	2_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FB80	2_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B5BF0	2_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337DBF9	2_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B3A6C	2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFA49	2_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7A46	2_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DDAAC	2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385AA0	2_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E1AA3	2_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EDAC6	2_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D5910	2_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349950	2_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B950	2_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AD800	2_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033438E0	2_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFF09	2_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFFB1	2_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03341F92	2_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03303FD2	2_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03303FD5	2_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349EB0	2_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7D73	2_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F1D5A	2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03343D40	2_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FDC0	2_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B9C32	2_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFCF2	2_2_033FFCF2

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: String function: 00D1F9F2 appears 40 times
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: String function: 00D24963 appears 31 times
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: String function: 00D09CB3 appears 31 times
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: String function: 00D20A30 appears 46 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 110 times

Source: 6YmCyBvw73.exe, 00000000.00000003.1356442843.0000000003FDD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6YmCyBvw73.exe
Source: 6YmCyBvw73.exe, 00000000.00000003.1353246983.0000000003DE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6YmCyBvw73.exe

Source: 6YmCyBvw73.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal92.troj.evad.winEXE@3/4@0/0

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D737B5 GetLastError,FormatMessageW,

0_2_00D737B5

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D610BF AdjustTokenPrivileges,CloseHandle,		0_2_00D610BF
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D616C3

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D751CD

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D8A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D8A67C

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D7648E

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D042A2

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

File created: C:\Users\user\AppData\Local\Temp\aut4211.tmp

Jump to behavior

Source: 6YmCyBvw73.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6YmCyBvw73.exe	Virustotal: Detection: 64%
Source: 6YmCyBvw73.exe	ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\6YmCyBvw73.exe "C:\Users\user\Desktop\6YmCyBvw73.exe"
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6YmCyBvw73.exe"
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6YmCyBvw73.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: 6YmCyBvw73.exe

Static file information: File size 1245696 > 1048576

Source: 6YmCyBvw73.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6YmCyBvw73.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6YmCyBvw73.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6YmCyBvw73.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6YmCyBvw73.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6YmCyBvw73.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6YmCyBvw73.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 6YmCyBvw73.exe, 00000000.00000003.1357312549.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, 6YmCyBvw73.exe, 00000000.00000003.1355866335.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1766376607.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585615124.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1766376607.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1578087190.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6YmCyBvw73.exe, 00000000.00000003.1357312549.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, 6YmCyBvw73.exe, 00000000.00000003.1355866335.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1766376607.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1585615124.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1766376607.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1578087190.0000000002F00000.00000004.00000020.00020000.00000000.sdmp

Source: 6YmCyBvw73.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6YmCyBvw73.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6YmCyBvw73.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6YmCyBvw73.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6YmCyBvw73.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D042DE

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D20A76 push ecx; ret	0_2_00D20A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004140C9 push esp; iretd	2_2_004140DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004121D7 push ds; ret	2_2_004121E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004121D7 pushfd ; retf	2_2_00412241
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412201 pushfd ; retf	2_2_00412241
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412220 pushfd ; retf	2_2_00412241
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004142E8 push 0E789B45h; retf	2_2_00414301
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403390 push eax; ret	2_2_00403392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411488 push edi; retf	2_2_0041148D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401D20 pushfd ; iretd	2_2_00401D28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418580 push ecx; retf	2_2_00418583
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401650 push ds; ret	2_2_00401654
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A674 push eax; iretd	2_2_0041A675
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330225F pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033027FA pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx	2_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330283D push eax; iretd	2_2_03302858

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D1F98E
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D91C41

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99402

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

API/Special instruction interceptor: Address: 38F3234

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	API coverage: 4.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5916

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D6DBBE
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D3C2A2 FindFirstFileExW,	0_2_00D3C2A2
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D768EE FindFirstFileW,FindClose,	0_2_00D768EE
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D7698F
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D6D076
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D6D3A9
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D79642
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D7979D
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D79B2B
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D75C97

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D042DE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417A83 LdrLoadDll,

2_2_00417A83

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D7EAA2 BlockInput,

0_2_00D7EAA2

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D32622

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D042DE

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D24CE8 mov eax, dword ptr fs:[00000030h]	0_2_00D24CE8
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_038F3500 mov eax, dword ptr fs:[00000030h]	0_2_038F3500
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_038F34A0 mov eax, dword ptr fs:[00000030h]	0_2_038F34A0
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_038F1E70 mov eax, dword ptr fs:[00000030h]	0_2_038F1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340634F mov eax, dword ptr fs:[00000030h]	2_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]	2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]	2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]	2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov ecx, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]	2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]	2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]	2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]	2_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]	2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340625D mov eax, dword ptr fs:[00000030h]	2_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]	2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]	2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]	2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034062D6 mov eax, dword ptr fs:[00000030h]	2_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]	2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]	2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]	2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]	2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]	2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]	2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]	2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]	2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]	2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]	2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]	2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]	2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]	2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]	2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]	2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033280A0 mov eax, dword ptr fs:[00000030h]	2_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]	2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]	2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]	2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]	2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]	2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]	2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]	2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]	2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]	2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]	2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]	2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]	2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]	2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]	2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]	2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]	2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]	2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]	2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]	2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]	2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]	2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]	2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]	2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]	2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]	2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]	2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]	2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]	2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]	2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]	2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]	2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]	2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]	2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]	2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]	2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]	2_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]	2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]	2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]	2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]	2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]	2_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]	2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404B00 mov eax, dword ptr fs:[00000030h]	2_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]	2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328B50 mov eax, dword ptr fs:[00000030h]	2_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]	2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]	2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]	2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]	2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]	2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]	2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]	2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]	2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]	2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]	2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]	2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]	2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404940 mov eax, dword ptr fs:[00000030h]	2_2_03404940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]	2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]	2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]	2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]	2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]	2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]	2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]	2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]	2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]	2_2_033BC810

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D60B62

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D32622
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D2083F
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D209D5 SetUnhandledExceptionFilter,	0_2_00D209D5
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D20C21

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 786008

Jump to behavior

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

0_2_00D61201

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D42BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D42BA5

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D6B226 SendInput,keybd_event,

0_2_00D6B226

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D822DA

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6YmCyBvw73.exe"

Jump to behavior

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

0_2_00D60B62

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D61663

Source: 6YmCyBvw73.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 6YmCyBvw73.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D20698 cpuid

0_2_00D20698

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D78195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D78195

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D5D27A GetUserNameW,

0_2_00D5D27A

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D3B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00D3B952

Source: C:\Users\user\Desktop\6YmCyBvw73.exe

Code function: 0_2_00D042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D042DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 6YmCyBvw73.exe	Binary or memory string: WIN_81
Source: 6YmCyBvw73.exe	Binary or memory string: WIN_XP
Source: 6YmCyBvw73.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 6YmCyBvw73.exe	Binary or memory string: WIN_XPe
Source: 6YmCyBvw73.exe	Binary or memory string: WIN_VISTA
Source: 6YmCyBvw73.exe	Binary or memory string: WIN_7
Source: 6YmCyBvw73.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D81204
Source: C:\Users\user\Desktop\6YmCyBvw73.exe	Code function: 0_2_00D81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D81806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	24 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	12 Virtualization/Sandbox Evasion	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6YmCyBvw73.exe	64%	Virustotal		Browse
6YmCyBvw73.exe	62%	ReversingLabs	Win32.Trojan.Strab
6YmCyBvw73.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482750
Start date and time:	2024-07-26 03:15:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6YmCyBvw73.exe renamed because original name is a hash value
Original Sample Name:	b77405e92a8557ab11d1d6ed25d6b390.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@3/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 49 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
21:17:24	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\6YmCyBvw73.exe
File Type:	data
Category:	dropped
Size (bytes):	286208
Entropy (8bit):	7.992906700031579
Encrypted:	true
SSDEEP:	6144:zYBzjvyzWNJadtIlQqD6DNsB7ASlJiYCcQ7yJQmd3zccrZ8Uc:06zWNJSmtD41OHk7yT3z4n
MD5:	5A4FC3D91D5C2D2786719DE2484BC434
SHA1:	362DD19211AB8D424E763F6398848F32322F8E60
SHA-256:	FABC0FCA017FE8270F7967D4FB971389E8060795D5172FC736EE551D23EC1AE2
SHA-512:	EED3041ACD3DC94B44BC33A8975328B360501A0D5D99B97F9963048E667091B1A228F3107A72A126CF5E0C300AB4577EB4BFFB86D52FB69D4BA8E811CF578CF0
Malicious:	false
Reputation:	low
Preview:	..s..XA4L..?..q.LN...dSA...LQTM6LMXA4LPIN6FLQTM6LMXA4LPIN.FLQZR.BM.H.m.H..g.9=>.<?7&F-=i-W("> mT)m4Zl9'nr..q9"R)cUL>hPIN6FLQ-L?.p8&.q0...&+.N.w8&.V...&+.N.q8&..9&.&+.TM6LMXA4..INzGMQ...,MXA4LPIN.FNP_L=LM.E4LPIN6FLQtX6LMHA4L0MN6F.QT]6LMZA4JPIN6FLQRM6LMXA4L0MN6DLQTM6LOX..LPYN6VLQTM&LMHA4LPIN&FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQz9S49XA4..MN6VLQT.2LMHA4LPIN6FLQTM6LmXATLPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4

C:\Users\user\AppData\Local\Temp\aut4211.tmp

Download File

Process:	C:\Users\user\Desktop\6YmCyBvw73.exe
File Type:	data
Category:	dropped
Size (bytes):	286208
Entropy (8bit):	7.992906700031579
Encrypted:	true
SSDEEP:	6144:zYBzjvyzWNJadtIlQqD6DNsB7ASlJiYCcQ7yJQmd3zccrZ8Uc:06zWNJSmtD41OHk7yT3z4n
MD5:	5A4FC3D91D5C2D2786719DE2484BC434
SHA1:	362DD19211AB8D424E763F6398848F32322F8E60
SHA-256:	FABC0FCA017FE8270F7967D4FB971389E8060795D5172FC736EE551D23EC1AE2
SHA-512:	EED3041ACD3DC94B44BC33A8975328B360501A0D5D99B97F9963048E667091B1A228F3107A72A126CF5E0C300AB4577EB4BFFB86D52FB69D4BA8E811CF578CF0
Malicious:	false
Reputation:	low
Preview:	..s..XA4L..?..q.LN...dSA...LQTM6LMXA4LPIN6FLQTM6LMXA4LPIN.FLQZR.BM.H.m.H..g.9=>.<?7&F-=i-W("> mT)m4Zl9'nr..q9"R)cUL>hPIN6FLQ-L?.p8&.q0...&+.N.w8&.V...&+.N.q8&..9&.&+.TM6LMXA4..INzGMQ...,MXA4LPIN.FNP_L=LM.E4LPIN6FLQtX6LMHA4L0MN6F.QT]6LMZA4JPIN6FLQRM6LMXA4L0MN6DLQTM6LOX..LPYN6VLQTM&LMHA4LPIN&FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQz9S49XA4..MN6VLQT.2LMHA4LPIN6FLQTM6LmXATLPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4LPIN6FLQTM6LMXA4

C:\Users\user\AppData\Local\Temp\aut4280.tmp

Download File

Process:	C:\Users\user\Desktop\6YmCyBvw73.exe
File Type:	data
Category:	dropped
Size (bytes):	9760
Entropy (8bit):	7.629337406365613
Encrypted:	false
SSDEEP:	192:CZIUd0cGw1zWEtGbIn+XmqvCYlDU8UdOFAOaVuHsuhgUwQh04FQ9h5ZKy:Yd0bWWEtiq+X/CDDbuhg/l4G9hT/
MD5:	1543E64600BBB43FE1CD6C4B313ECCC4
SHA1:	9475A5C25784FFF7D54775C62E208EF73EB26D6C
SHA-256:	01377D1659EBBB715ADDDF1F47743FD84FD1F44B56AE4A4A1ADEC010FE969C17
SHA-512:	A4B913CC8283677EBB859B3A812E057CD2B0CB174ACF68BFB86A58923A78C0CC182B8CD9B88DA0F2DE3A7FA74473E5D40EC42684816A75B7A795A0CF747C569F
Malicious:	false
Reputation:	low
Preview:	EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........\|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3\|vY..G.6.Yf.8_..oe..i\|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

C:\Users\user\AppData\Local\Temp\cacostomia

Download File

Process:	C:\Users\user\Desktop\6YmCyBvw73.exe
File Type:	FGDC-STD-001-1998
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.579856146200606
Encrypted:	false
SSDEEP:	384:gAQKy7bFwQ4/6BmsM6IYj8R250duCqYRcL02TqOIdsVHfGbLph1juTJOtHtiP:PQKM1GsMMIAb/o2TMdshGbLph1jXtAP
MD5:	71B1735A97E6505D133242C03C2FC7B4
SHA1:	EA246667E108644C6985934B0078255857EBB236
SHA-256:	F76B9914B958DE7C122680D54C201E36BA554694D5C8BC0500CF103D170C2965
SHA-512:	EF11D1B1F366EBF89160911BBC6D76AB6D8D6BF570AA948DDE8E442DD015FCCDEDC2A90039875EE0CE1A618FFB0196383553DA0F21B743815356FC2E98947963
Malicious:	false
Reputation:	low
Preview:	2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.132559959246828
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6YmCyBvw73.exe
File size:	1'245'696 bytes
MD5:	b77405e92a8557ab11d1d6ed25d6b390
SHA1:	2e99877c99419d903160b772d68425e14dbb1566
SHA256:	35e708ca54de7e0f81312a42ab72744b5ad5d1a6a3d2145104c154a3fb74c6a7
SHA512:	1fdf58b766d5311248bd4682071d4efc5558d5d2bd29cf8f79034d4a36949f0b97af5e2e032e928bd18c2a7ba43c65d2e19debacfaf2956d9aab62af0dbd8d51
SSDEEP:	24576:fqDEvCTbMWu7rQYlBQcBiT6rprG8al4WaFs5i/L:fTvC/MTQYxsWR7al4W+
TLSH:	3245BF0273D1C062FFAB92734B96F6115BBC69260123E62F13A81D79BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x669F0125 [Tue Jul 23 01:02:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA6F8F788A3h
jmp 00007FA6F8F781AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA6F8F7838Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA6F8F7835Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA6F8F7AF4Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA6F8F7AF98h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA6F8F7AF81h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x596cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x596cc	0x59800	e32f2188cb20e88ad3fa0a2b5b238f9f	False	0.928391781599162	data	7.897232861989735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x50d62	data			1.0003352400741756
RT_GROUP_ICON	0x12d174	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12d1ec	0x14	data	English	Great Britain	1.15
RT_VERSION	0x12d200	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12d2dc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	21:16:49
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\6YmCyBvw73.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6YmCyBvw73.exe"
Imagebase:	0xd00000
File size:	1'245'696 bytes
MD5 hash:	B77405E92A8557AB11D1D6ED25D6B390
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:16:50
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6YmCyBvw73.exe"
Imagebase:	0xee0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1766342914.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1765996953.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	51

Executed Functions

Function 00D042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00D0430D

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

GetCurrentProcess.KERNEL32(?,00D9CB64,00000000,?,?), ref: 00D04422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00D04429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D04454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D04466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D04474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00D0447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00D044A0

Strings

kernel32.dll, xrefs: 00D0444F
|O, xrefs: 00D436F8
GetNativeSystemInfo, xrefs: 00D04460

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 95ef3709c6c8642f4052bfc7c26c087a321cf0a5cd887ae6679d420499257a9a
Instruction ID: 55550401e9157494b62be801ba94d077e2a4c82d5f8067ac583520215f212f60
Opcode Fuzzy Hash: 95ef3709c6c8642f4052bfc7c26c087a321cf0a5cd887ae6679d420499257a9a
Instruction Fuzzy Hash: 5FA1A3AA91B3C0FFCB11CB6DBC416957FE5EB26340B18589BE185D3B62D2719908CB31

Function 00D042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D050AA,?,?,00000000,00000000), ref: 00D042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D050AA,?,?,00000000,00000000), ref: 00D042C9
LoadResource.KERNEL32(?,00000000,?,?,00D050AA,?,?,00000000,00000000,?,?,?,?,?,?,00D04F20), ref: 00D435BE
SizeofResource.KERNEL32(?,00000000,?,?,00D050AA,?,?,00000000,00000000,?,?,?,?,?,?,00D04F20), ref: 00D435D3
LockResource.KERNEL32(00D050AA,?,?,00D050AA,?,?,00000000,00000000,?,?,?,?,?,?,00D04F20,?), ref: 00D435E6

Strings

SCRIPT, xrefs: 00D042BF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 894cc12c94677f0f760a5a20d3812e3a305c1ca0a8b06566d0e14eb03fc40d71
Instruction ID: 3d77d4e799e722ad182416d1ffb9975ed2f6236957891af430f59aa7c057c94e
Opcode Fuzzy Hash: 894cc12c94677f0f760a5a20d3812e3a305c1ca0a8b06566d0e14eb03fc40d71
Instruction Fuzzy Hash: 6F118EB0701700BFDB218B65DC48F277BB9EBC5B51F14416AF506DA290DB71DC008634

Function 00D42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00D02B6B

Part of subcall function 00D03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DD1418,?,00D02E7F,?,?,?,00000000), ref: 00D03A78

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00DC2224), ref: 00D42C10
ShellExecuteW.SHELL32(00000000,?,?,00DC2224), ref: 00D42C17

Strings

runas, xrefs: 00D42C0B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c95ccf1e99b09f9f93cd1499fd9c7b71597797a441b50123fc4c3e277d82e2e0
Instruction ID: a9e1ecfe493b8b1539d2897d207b2f9c2b73171bc7eb7837236b24bf2eb25897
Opcode Fuzzy Hash: c95ccf1e99b09f9f93cd1499fd9c7b71597797a441b50123fc4c3e277d82e2e0
Instruction Fuzzy Hash: 2B11B1312093416AC714FF64D896BBEB7A8DB91340F48542EF18A532E7DF209A49C732

Function 00D6DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00D45222), ref: 00D6DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00D6DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00D6DBEE
FindClose.KERNEL32(00000000), ref: 00D6DBFA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ced251acbebe8ed89bcda4ca7af151b37e5849efa0625daa40d2074bbead9594
Instruction ID: 31b074e6435ac2adfdeb746650d96e1035268a0dcb89e3bd0df331a78be8017e
Opcode Fuzzy Hash: ced251acbebe8ed89bcda4ca7af151b37e5849efa0625daa40d2074bbead9594
Instruction Fuzzy Hash: A3F0A030820A1857C220AB78AC0D8AA377D9E05334B544703F876C22E0EBB1999486F9

Function 00D0D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D0D807
timeGetTime.WINMM ref: 00D0DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D0DB28
TranslateMessage.USER32(?), ref: 00D0DB7B
DispatchMessageW.USER32(?), ref: 00D0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D0DB9F
Sleep.KERNEL32(0000000A), ref: 00D0DBB1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 53aeb97a19d6ce928be32071a8d92e490beab862c508dd1233fde77152d84c7e
Instruction ID: 68e7f23637cda7ddfa62d556bdcae4a60948d1d639c36d95d761c18eb6e6efa3
Opcode Fuzzy Hash: 53aeb97a19d6ce928be32071a8d92e490beab862c508dd1233fde77152d84c7e
Instruction Fuzzy Hash: DA42CE30604341AFDB25CF64D844BBAB7A2FF56314F18855AE899872D1D771E848CFB2

Function 00D02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D02D07
RegisterClassExW.USER32(00000030), ref: 00D02D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D02D42
InitCommonControlsEx.COMCTL32(?), ref: 00D02D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D02D6F
LoadIconW.USER32(000000A9), ref: 00D02D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D02D94

Strings

TaskbarCreated, xrefs: 00D02D37
0, xrefs: 00D02CE9
AutoIt v3 GUI, xrefs: 00D02D23
+, xrefs: 00D02CF0

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 566afb3110e5c495243b94ed3887d21d47118cbec2558e20f08957d8c8ca6c1f
Instruction ID: 3bac44f3913a18670b1cb1d55fa5555778e87d6261451f6beb7a007993942bbc
Opcode Fuzzy Hash: 566afb3110e5c495243b94ed3887d21d47118cbec2558e20f08957d8c8ca6c1f
Instruction Fuzzy Hash: 6921E2B9952308AFDB00DFA4E859BDDBBB8FB08700F10511BF511E63A0D7B105448FA0

Function 00D4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D4039A: CreateFileW.KERNELBASE(00000000,00000000,?,00D40704,?,?,00000000,?,00D40704,00000000,0000000C), ref: 00D403B7

GetLastError.KERNEL32 ref: 00D4076F
__dosmaperr.LIBCMT ref: 00D40776
GetFileType.KERNELBASE(00000000), ref: 00D40782
GetLastError.KERNEL32 ref: 00D4078C
__dosmaperr.LIBCMT ref: 00D40795
CloseHandle.KERNEL32(00000000), ref: 00D407B5
CloseHandle.KERNEL32(?), ref: 00D408FF
GetLastError.KERNEL32 ref: 00D40931
__dosmaperr.LIBCMT ref: 00D40938

Strings

H, xrefs: 00D408BD

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dd6a3943daafb29d1e81f0b4e1f99b51f3dde55ea79122772d99eed92086ef55
Instruction ID: 7de8016eb8e9d161391f7bea96f9b130ebe5f18355427c165a920581416ecab4
Opcode Fuzzy Hash: dd6a3943daafb29d1e81f0b4e1f99b51f3dde55ea79122772d99eed92086ef55
Instruction Fuzzy Hash: ABA12432A102148FDF19AF78D851BAE7FA0EF46324F28015AF915EB391D7359812CBB1

Function 00D0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DD1418,?,00D02E7F,?,?,?,00000000), ref: 00D03A78

Part of subcall function 00D03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D03379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D0356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D4318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D431CE
RegCloseKey.ADVAPI32(?), ref: 00D43210
_wcslen.LIBCMT ref: 00D43277
_wcslen.LIBCMT ref: 00D43286

Strings

\Include\, xrefs: 00D03527
\, xrefs: 00D4328C
Include, xrefs: 00D43184, 00D431C5
Software\AutoIt v3\AutoIt, xrefs: 00D03560

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: eb3a04d865426b19553d2fea48a22be0dfdcd7708d1484f63d281e8f383f428d
Instruction ID: 01dedcf06251b3f7f85c7bc54462893737946f78b84c1dabe0114f80c55d5e67
Opcode Fuzzy Hash: eb3a04d865426b19553d2fea48a22be0dfdcd7708d1484f63d281e8f383f428d
Instruction Fuzzy Hash: AD7139715053019FC714EF69EC82A6BBBE8FFA5350F40452EF549C22A1EB709A488B76

Function 00D02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D02B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00D02B9D
LoadIconW.USER32(00000063), ref: 00D02BB3
LoadIconW.USER32(000000A4), ref: 00D02BC5
LoadIconW.USER32(000000A2), ref: 00D02BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D02BEF
RegisterClassExW.USER32(?), ref: 00D02C40

Part of subcall function 00D02CD4: GetSysColorBrush.USER32(0000000F), ref: 00D02D07
Part of subcall function 00D02CD4: RegisterClassExW.USER32(00000030), ref: 00D02D31
Part of subcall function 00D02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D02D42
Part of subcall function 00D02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00D02D5F
Part of subcall function 00D02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D02D6F
Part of subcall function 00D02CD4: LoadIconW.USER32(000000A9), ref: 00D02D85
Part of subcall function 00D02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D02D94

Strings

0, xrefs: 00D02C0F
#, xrefs: 00D02C16
AutoIt v3, xrefs: 00D02C2F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: de561b7de1c2629acff57c823f74b46a7efde28fbb8f1bc99f7a94927b5dd1c0
Instruction ID: a691c9bc7d2d7bea5c2a006362df5338d5d62ce950fd1bb8925e1ff3f0a527fc
Opcode Fuzzy Hash: de561b7de1c2629acff57c823f74b46a7efde28fbb8f1bc99f7a94927b5dd1c0
Instruction Fuzzy Hash: 75210778E12318BBDB109FE6EC59AA97FB4FB48B50F50011BE504E67A0D7B11540CFA4

Function 00D03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D0316A,?,?), ref: 00D031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00D0316A,?,?), ref: 00D03204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D03227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D0316A,?,?), ref: 00D03232
CreatePopupMenu.USER32 ref: 00D03246
PostQuitMessage.USER32(00000000), ref: 00D03267

Strings

TaskbarCreated, xrefs: 00D0322D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9f9b9f9e9caf84932a93bc2580c92f84e67b2b8175d8bd35fb68afa39f01c0e0
Instruction ID: b231195cb6f479080ae2c9bfd88a50c4b58fe3df196a8b2cc23ad08f5c7b1635
Opcode Fuzzy Hash: 9f9b9f9e9caf84932a93bc2580c92f84e67b2b8175d8bd35fb68afa39f01c0e0
Instruction Fuzzy Hash: A6413439A50304BBDB145BB89C2DB793B1DEB09340F081127F95AC63E1CB71CA809BB6

Function 00D38D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584ada4c8edb26b01aa0dc97b57a9278b50a35c596f1b4ddd859f5dbd6429a87
Instruction ID: 5d510f1b63dff337359374358a2c54280af132b60a3f26e12cfabf2f9f04c12a
Opcode Fuzzy Hash: 584ada4c8edb26b01aa0dc97b57a9278b50a35c596f1b4ddd859f5dbd6429a87
Instruction Fuzzy Hash: F2C1ED74A04349AFCB15EFA8D851BADBBB0EF4A310F184099F955AB392C7758941CF70

Function 038F25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 038F26C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 038F28E7

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 7c05279d1282b9b2f21afd3e6921a7c9592a18e0cc10ab3ef9f34a4b2e8d1627
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: E7A1F778E10209EFDB14CFE4C894BAEBBB5BF48304F248599E601BB280D7799A45CF55

Function 00D02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D02C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D02CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00D01CAD,?), ref: 00D02CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00D01CAD,?), ref: 00D02CCF

Strings

edit, xrefs: 00D02CAC
AutoIt v3, xrefs: 00D02C89, 00D02C8E, 00D02C8F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 33868f2a754d1119936aeea6a88cff723cb15fbe34f52a84fb7d1b011a13798f
Instruction ID: 9a67239e12d80d278f1b1e36ecb687dbfc236a24f3ccfc51e258daccc2f8bdeb
Opcode Fuzzy Hash: 33868f2a754d1119936aeea6a88cff723cb15fbe34f52a84fb7d1b011a13798f
Instruction Fuzzy Hash: FBF0D4796513907BEB311B67AC08E772FBDD7CAF60B00105BF904E27A0C6611850DEB0

Function 038F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 038F22A0: Sleep.KERNELBASE(000001F4), ref: 038F22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 038F24DA

Strings

TM6LMXA4LPIN6FLQ, xrefs: 038F253D, 038F2540

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID: CreateFileSleep
String ID: TM6LMXA4LPIN6FLQ
API String ID: 2694422964-2945786455
Opcode ID: 44e95736891781b299719a6b9cbfb925c01e083335b7200f8976df572396452d
Instruction ID: 46c955a9b175599997dacc0722b9eadd270315db0184aec88343589f6eb1a5f1
Opcode Fuzzy Hash: 44e95736891781b299719a6b9cbfb925c01e083335b7200f8976df572396452d
Instruction Fuzzy Hash: E7516C74D0424DEBEF11DBE4C825BEEBB79AF18300F004599A609BB2C0D67A4B44CB66

Function 00D72947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D72C05
DeleteFileW.KERNEL32(?), ref: 00D72C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D72C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D72CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D72CC0

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: dcc5e345ee8b743568304e4f5bfa8b8ca3c18a629903f77eee1272d5d418fece
Instruction ID: 108ee13c633da804ed04eb0ab5ad952cd7a1835c4bdb0dc96f322842f9d8b4f8
Opcode Fuzzy Hash: dcc5e345ee8b743568304e4f5bfa8b8ca3c18a629903f77eee1272d5d418fece
Instruction Fuzzy Hash: 38B16D72900129ABDF21DFA4DC85EEFB7BDEF49354F1080A6F909E6145EA309A448F71

Function 00D03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D03B0F,SwapMouseButtons,00000004,?), ref: 00D03B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D03B0F,SwapMouseButtons,00000004,?), ref: 00D03B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D03B0F,SwapMouseButtons,00000004,?), ref: 00D03B83

Strings

Control Panel\Mouse, xrefs: 00D03B3E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 320187f206f6b4159db55ea446fdcea6ff75755a36a5ddeb596c02a1a8c65db1
Instruction ID: d7f84b6d1fb0f8ed03452ff591ef6dea0eb1055e1692737faf6598ebfe31c64a
Opcode Fuzzy Hash: 320187f206f6b4159db55ea446fdcea6ff75755a36a5ddeb596c02a1a8c65db1
Instruction Fuzzy Hash: D8112AB5520208FFDB208FA5DC85AAEBBBCEF04748B14445AA809D7250D271DE449770

Function 038F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 038F1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 038F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 038F1B13

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: e966e165ac187cdb46373eb6ec1ee5dbb84e6b9a3e375013c65465f4a8cc58cf
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 06622B34A14258DBEB24CFA4C844BDEB376EF58304F1091A9D20DEB394E7799E81CB59

Function 00D0DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00D532B7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: f1168d7a38b6631f53ba860d07512da39b368b198297009353e408c0f35eee62
Instruction ID: b3bc6d62bff95632cd801f852a3a550b822666be7d289cb0e6902f7baf2556c6
Opcode Fuzzy Hash: f1168d7a38b6631f53ba860d07512da39b368b198297009353e408c0f35eee62
Instruction Fuzzy Hash: 4CC26871A00214DFCB24CF58D880BADB7B1FB58311F288969E959AB391D771ED81CBB1

Function 00D1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00D20668

Part of subcall function 00D232A4: RaiseException.KERNEL32(?,?,?,00D2068A,?,00DD1444,?,?,?,?,?,?,00D2068A,00D01129,00DC8738,00D01129), ref: 00D23304

__CxxThrowException@8.LIBVCRUNTIME ref: 00D20685

Strings

Unknown exception, xrefs: 00D20692

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: afd37ddc75c789c650586f669eeb044b4861f9220518f4680a35b32e0de3e3c9
Instruction ID: b0e375f71b137adaa59acb6a5503a750616b219c2d835e65c140f24e6a889588
Opcode Fuzzy Hash: afd37ddc75c789c650586f669eeb044b4861f9220518f4680a35b32e0de3e3c9
Instruction Fuzzy Hash: F2F0C23490031DB7CB00B7A4F846DAE7B6C9E20318B604575B814D6593EF71DA69C5F0

Function 00D73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D7302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D73044

Strings

aut, xrefs: 00D73038

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d49382668904b9984b96d31fa274edbf55635819407dec6f6cc344dce9bbc584
Instruction ID: 31ca13857ad08b083659e146a16140c0c42676ee25b4fb880f5662718cd03d22
Opcode Fuzzy Hash: d49382668904b9984b96d31fa274edbf55635819407dec6f6cc344dce9bbc584
Instruction Fuzzy Hash: EDD05E725003287BDA20A7A4AC0EFCB3A6CDB05750F0002A2B655E2191DAB0D984CAF4

Function 00D87F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00D882F5
TerminateProcess.KERNEL32(00000000), ref: 00D882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00D884DD

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 960c237e59686bd758a13493c5c372a57cd9d298abd3e3097b98f34ea8ce7712
Instruction ID: 694d49515db857fc5507a48c59363b3d15a0327851cd9a1d187093cc4adc2092
Opcode Fuzzy Hash: 960c237e59686bd758a13493c5c372a57cd9d298abd3e3097b98f34ea8ce7712
Instruction Fuzzy Hash: 37126B719083419FC714EF28C484B6ABBE5FF85314F48895DE8898B392DB31ED45CBA2

Function 00D35AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169db63c16a3dffb5765778429ea336e7b6219cddf17155377243a0607bb026b
Instruction ID: eade80befe13abc6495cd8afcc3810bf57ab4afa2eb60ee2986ca57298f224b8
Opcode Fuzzy Hash: 169db63c16a3dffb5765778429ea336e7b6219cddf17155377243a0607bb026b
Instruction Fuzzy Hash: 8751AF71D00719AFCB209FA4E845FEEBBB8EF46318F18046AF405A7299D73199019B71

Function 00D010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D01BF4
Part of subcall function 00D01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D01BFC
Part of subcall function 00D01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D01C07
Part of subcall function 00D01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D01C12
Part of subcall function 00D01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D01C1A
Part of subcall function 00D01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D01C22

Part of subcall function 00D01B4A: RegisterWindowMessageW.USER32(00000004,?,00D012C4), ref: 00D01BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D0136A
OleInitialize.OLE32 ref: 00D01388
CloseHandle.KERNEL32(00000000,00000000), ref: 00D424AB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4f8bffcacef8111bdf357948837196d6f17185d6cdc3605265d143c0a7131aa9
Instruction ID: 948bfecdb308abb5e52c41bb317899f93dab4dedfa65b48fcfe77d17538be4f0
Opcode Fuzzy Hash: 4f8bffcacef8111bdf357948837196d6f17185d6cdc3605265d143c0a7131aa9
Instruction Fuzzy Hash: 887187BCA12341BEC784EFA9B9456553BF1FB89344754822BD00AC73A2EB388445CF71

Function 00D054C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00D0556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00D0557D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b1385291fbd7df8ba6ee47a403479832a722a4cd24162389916e36bdff5f0fc4
Instruction ID: 5b90f153c4f700263049180f228ba220bd2ba5af0d963802e3280d719b7819b7
Opcode Fuzzy Hash: b1385291fbd7df8ba6ee47a403479832a722a4cd24162389916e36bdff5f0fc4
Instruction Fuzzy Hash: 46311B75A00609EBDB14CF28D884B9AB7B5FB44314F188629ED1997284D771FD94CFA0

Function 00D386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00D385CC,?,00DC8CC8,0000000C), ref: 00D38704
GetLastError.KERNEL32(?,00D385CC,?,00DC8CC8,0000000C), ref: 00D3870E
__dosmaperr.LIBCMT ref: 00D38739

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 0756d6c806cdedaab3cfdce8bf849bf903764ca2e8e793db316cce43c6a65509
Instruction ID: e80d612ec4e68110c05f187856fe10dfd2c35481dda3c92520ebed1dd45288c7
Opcode Fuzzy Hash: 0756d6c806cdedaab3cfdce8bf849bf903764ca2e8e793db316cce43c6a65509
Instruction Fuzzy Hash: 26012633A0572026D6246334B946B7E6B598B82778F3D011AF815CB1D2DEA0CC81A1B0

Function 00D72FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00D72CD4,?,?,?,00000004,00000001), ref: 00D72FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D72CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D73006
CloseHandle.KERNEL32(00000000,?,00D72CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D7300D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 94ed3b52b3af0db8cf924b39060f630efd18be3fc29c11ba823b549fc7ad2854
Instruction ID: bf6fa8a331b138ab7b3767c97aa1ad2446630e56952d57f5e07ad309a01813f3
Opcode Fuzzy Hash: 94ed3b52b3af0db8cf924b39060f630efd18be3fc29c11ba823b549fc7ad2854
Instruction Fuzzy Hash: 4BE0863269031077D2301755BC0EF8B3A1CD786B71F104211F719B51D096A1150152BC

Function 00D11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D117F6

Strings

CALL, xrefs: 00D117C6

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e65be356397bc48ae98605f7f4e958dbe1f5c7bebf22851d0b5dc61877f1b106
Instruction ID: 238c6059d3fca1524fe461edf0489d05d8240541c831e97d5675d50cfc297b4f
Opcode Fuzzy Hash: e65be356397bc48ae98605f7f4e958dbe1f5c7bebf22851d0b5dc61877f1b106
Instruction Fuzzy Hash: AD227D74608301AFD714DF14E480A6ABBF2FF85314F58895DF9968B3A1DB31E885CB62

Function 00D76EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D76F6B

Part of subcall function 00D04ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00D76F5A, 00D76F63

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 325421eb210b61a28a02d5378c4e7beef5173e48c3f2e5fb29c23698fff6afce
Instruction ID: dc8f9c6ae230a5ff72799f74ae5835aa899926c00041a85c3aa85840a2c6a199
Opcode Fuzzy Hash: 325421eb210b61a28a02d5378c4e7beef5173e48c3f2e5fb29c23698fff6afce
Instruction Fuzzy Hash: D7B175715083019FCB14EF24C891A6EB7E5EF94310F44895DF59A972A2EB30ED45CBB2

Function 00D02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00D42C8C

Part of subcall function 00D03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D03A97,?,?,00D02E7F,?,?,?,00000000), ref: 00D03AC2

Part of subcall function 00D02DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D02DC4

Strings

X, xrefs: 00D42C5A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d83e9de263a380ddaf552ef71eecac2443cd89ec7d674755cad3670865416a84
Instruction ID: 702b708b3eff1cb72fe82d15d6cbb319a58374740cfbd0fbaed90ff4a9fe186a
Opcode Fuzzy Hash: d83e9de263a380ddaf552ef71eecac2443cd89ec7d674755cad3670865416a84
Instruction Fuzzy Hash: 52219371A102589BCB01EF94C849BEE7BFCEF49304F00405AF549E7381DBB49A898BB1

Function 00D72557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D72587

Strings

EA06, xrefs: 00D725B9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 26145390b25bcabc2827cc79689e61fd2c7693e52d758d75790a69092c129d42
Instruction ID: b2711f4bba0504bc6a6e0624098af9032a64876eb73962134758c21c5e5c024c
Opcode Fuzzy Hash: 26145390b25bcabc2827cc79689e61fd2c7693e52d758d75790a69092c129d42
Instruction Fuzzy Hash: B201B5729042687EDF18C7A8C856EBEBBF8DB15315F00455AF192D2181E5B4E6088B70

Function 00D05745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00D0949C,?,00008000), ref: 00D05773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00D0949C,?,00008000), ref: 00D44052

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4e69a06b2ea8bb6e737aa1ac1df2e8b464d5ce499efd90aa104624f62ee02fe
Instruction ID: dc608815f55e9e40fb83c2ff63ef036ee318c8ffed308a6dc8711ee8a5db968f
Opcode Fuzzy Hash: a4e69a06b2ea8bb6e737aa1ac1df2e8b464d5ce499efd90aa104624f62ee02fe
Instruction Fuzzy Hash: EA014031145325B6E7304A2ADC0EF977F98EF427B0F148311BE9C6A1E0DBB45854DBA4

Function 00D0B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D0BB4E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: d16a55470def3fd1cedee26dbee15b40ebfb8574c4ad147185916d5d383f967d
Instruction ID: 0220fe8a0731ce14e9a8cb7ef2a0e5fd6e42d10bf892453fe38ae0030b074b47
Opcode Fuzzy Hash: d16a55470def3fd1cedee26dbee15b40ebfb8574c4ad147185916d5d383f967d
Instruction Fuzzy Hash: 81327D34A082099FDF14CF54C894BBABBB5EF44320F18805AED59AB2A1D774ED45CBB1

Function 038F129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 038F1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 038F1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 038F1B13

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 819ba470058aaa08587667282045268148b771516554f43f15a750a0e4ab9650
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 4612CD24E24658C6EB24DF64D8547DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 00D04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D04EDD,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04E9C
Part of subcall function 00D04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D04EAE
Part of subcall function 00D04E90: FreeLibrary.KERNEL32(00000000,?,?,00D04EDD,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04EFD

Part of subcall function 00D04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D43CDE,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04E62
Part of subcall function 00D04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D04E74
Part of subcall function 00D04E59: FreeLibrary.KERNEL32(00000000,?,?,00D43CDE,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04E87

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 73233f579012b4f0525768bfca511e79e8dd54cd6d091d9da58775f7c1efc191
Instruction ID: 2ca2dd9d4442b214ef986821f3f44b393105e4e57d8e45c705703351baeb27ec
Opcode Fuzzy Hash: 73233f579012b4f0525768bfca511e79e8dd54cd6d091d9da58775f7c1efc191
Instruction Fuzzy Hash: 9411E3B2610306ABDF14FB64DC52FAD7BA5EF40711F10842EF64AA61C1EEB09E459B70

Function 00D38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00D38440

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 821b88151bf87e03ea28f5f80d92951ea8047211c40804264b7018f8d657fbad
Instruction ID: d4550f3c8aa08dc9e4dddd2a1033eab63b494064508f42717ccb1c46f3b0eeb2
Opcode Fuzzy Hash: 821b88151bf87e03ea28f5f80d92951ea8047211c40804264b7018f8d657fbad
Instruction Fuzzy Hash: 4511487190420AAFCF05DF58E94099A7BF5EF48300F144059F808AB312DB31DA11DBB4

Function 00D09A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00D0543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00D09A9C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e37925eb04d6c915febda29b780d608edbf9df3fcb6a4b10606b4f3bbe43446d
Instruction ID: 263bbb4a1b0cf94fdaff6c5a83ee1214679c750fd60da544f43de82c37f4b8b9
Opcode Fuzzy Hash: e37925eb04d6c915febda29b780d608edbf9df3fcb6a4b10606b4f3bbe43446d
Instruction Fuzzy Hash: 0D1106312047059FD7208E19D891B66F7E9EB44764F14C42EE99B8AA92C770E945CB70

Function 00D35000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D34C7D: RtlAllocateHeap.NTDLL(00000008,00D01129,00000000,?,00D32E29,00000001,00000364,?,?,?,00D2F2DE,00D33863,00DD1444,?,00D1FDF5,?), ref: 00D34CBE

_free.LIBCMT ref: 00D3506C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 76be7407e510f35422ea9b2317e8393f390d6980bc13a42d16732554cf1874ff
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 9B0149726047046BE3358F65E881A5AFBECFB89370F29051DE184832C0EB31A805C7B4

Function 00D2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b42517303d4f638cb2bb8f5c318ab23dc709c9d9e89b23ad5b1533d2e59d5ffd
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 89F0F432511A3096C6313A69BC05B5A3398DF7233AF140B25F420921D2DB74E8028AB5

Function 00D34C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00D01129,00000000,?,00D32E29,00000001,00000364,?,?,?,00D2F2DE,00D33863,00DD1444,?,00D1FDF5,?), ref: 00D34CBE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad8a9767bcf428894586e584c05d239f1464ecd36a20440173782f7124e78d35
Instruction ID: 018425d27e7ff7271b6d024403097f428ff50b04896e33ed338d33eb0655e7d1
Opcode Fuzzy Hash: ad8a9767bcf428894586e584c05d239f1464ecd36a20440173782f7124e78d35
Instruction Fuzzy Hash: 1CF0BE31603234A6DB215F62AD09B5A3788EF917A0F196122BC19EA295CE78FC0186B0

Function 00D33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00DD1444,?,00D1FDF5,?,?,00D0A976,00000010,00DD1440,00D013FC,?,00D013C6,?,00D01129), ref: 00D33852

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a0a6fd459c9d0a888f819aa3dda324f1ecd3758f0fdb278587b5973b5c1cc961
Instruction ID: 0669bed1de49eb4e8a991831a4ffed53c2adbff8f1e9c4706016a84e6cc42fd8
Opcode Fuzzy Hash: a0a6fd459c9d0a888f819aa3dda324f1ecd3758f0fdb278587b5973b5c1cc961
Instruction Fuzzy Hash: F2E0E531102334A6E6212A66AE00B9A3748EF927B0F090031BC44E25A0CB11DD0181F4

Function 00D04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04F6D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 10210d380d0479b2e955ecf9ccae2e319a95c04fd1fc484e0ec184bc3138a3ed
Instruction ID: 8bb0fcfb6d935d8b088ee6344e66762a2da8def11afef099d1bd6bd88f1099a0
Opcode Fuzzy Hash: 10210d380d0479b2e955ecf9ccae2e319a95c04fd1fc484e0ec184bc3138a3ed
Instruction Fuzzy Hash: 37F039B1109752CFDB349F64E490E22BBE4EF14329324897EE3EE82661C7319884DF20

Function 00D02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D02DC4

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1a5552460c1730a1c7fcad3da01645cfc758d8868ca655d597438b88f3d12aaa
Instruction ID: 65875fb3a9dca8dbff52b676b916367b7efb2477cf30822fe69a5d5d5b13d85d
Opcode Fuzzy Hash: 1a5552460c1730a1c7fcad3da01645cfc758d8868ca655d597438b88f3d12aaa
Instruction Fuzzy Hash: E4E0CD766042245BC710D7589C05FDA77DDDFC8790F040071FD09D7248D960ED848570

Function 00D72693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D726B5

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 102f98a6fc17d640b603cc497a105bd41f08c4bdd53d3cc0e725975b975f6bb9
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 99E04FB0609B005FDF3D6A28A8517BAB7E8DF49300F04486FF69F82252F57278458A6D

Function 00D02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D03908

Part of subcall function 00D0D730: GetInputState.USER32 ref: 00D0D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00D02B6B

Part of subcall function 00D030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D0314E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 75fe53a7b02dee3d2c7e0ee9bca3c33d4f2ed88fc79acaa4c8fe356e4ddac9b4
Instruction ID: 9d689d5f86894da5ff58526d9be724f30cd8edeb990b4c76e8d2c70aaa7f0777
Opcode Fuzzy Hash: 75fe53a7b02dee3d2c7e0ee9bca3c33d4f2ed88fc79acaa4c8fe356e4ddac9b4
Instruction Fuzzy Hash: AEE0862130524417C608BB75985677DB75DDBD1351F40553FF14A833E3CE2445454271

Function 00D4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00D40704,?,?,00000000,?,00D40704,00000000,0000000C), ref: 00D403B7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f59d3c9406f374ac8420c28922ce2c9d8bff968fcdbc9bd9dfdb38d03f2690ef
Instruction ID: 278fb6149f83b04b73be713c9f07be8dfada925bf94916876c84aa1908be2a51
Opcode Fuzzy Hash: f59d3c9406f374ac8420c28922ce2c9d8bff968fcdbc9bd9dfdb38d03f2690ef
Instruction Fuzzy Hash: 81D06C3205020DBBDF028F84DD06EDA3BAAFB48714F014100BE18A6120C732E821ABA4

Function 00D01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00D01CBC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: d62c21c280058ba96c03e3c6ea6201205e0a0f577487fa5f553fb63069034e07
Instruction ID: 793a85a9d851f7b60ef81fb432fa98aef1d331d50baa6beccdbd7e866de776d4
Opcode Fuzzy Hash: d62c21c280058ba96c03e3c6ea6201205e0a0f577487fa5f553fb63069034e07
Instruction Fuzzy Hash: 85C0923A381304AFF2148B84BC4AF207764E358B00F448003F609E9BE3C3A22820EA70

Function 00D7744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00D05745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00D0949C,?,00008000), ref: 00D05773

GetLastError.KERNEL32(00000002,00000000), ref: 00D776DE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: c458ef961425be1558ee6b4e14f6c7c5a0df40f5e9bdf78b19289234bbe88542
Instruction ID: 68f82e4d70d8732a78afa1204e81f82c526f7c533c25882ea8ab92d6ca2ffa2f
Opcode Fuzzy Hash: c458ef961425be1558ee6b4e14f6c7c5a0df40f5e9bdf78b19289234bbe88542
Instruction Fuzzy Hash: D8813D306087019FC755EF28C491B6AB7E1EF89314F08895DF8995B296DB30ED45CBB2

Function 00D1FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D1FD1F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f21fad9fb32360679aa1a6901799484aaf82353338467dae69dec9cee69570a6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D0310C75A04109EBC718DF59E4C09A9F7A2FF49300B2886A5E80ACF655DB31EDC1DBE0

Function 038F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 038F22B1

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f15aa68c32d85244a1b1037ee94d41b40b8289e3222490f229732a14a8008d8b
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FFE0E67498110EDFDB00EFF8D54969E7FB4EF04311F1005A1FD01D2280D6309D508A72

Non-executed Functions

Function 00D99576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D9961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D9965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D9969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D996C9
SendMessageW.USER32 ref: 00D996F2
GetKeyState.USER32(00000011), ref: 00D9978B
GetKeyState.USER32(00000009), ref: 00D99798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D997AE
GetKeyState.USER32(00000010), ref: 00D997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D997E9
SendMessageW.USER32 ref: 00D99810
SendMessageW.USER32(?,00001030,?,00D97E95), ref: 00D99918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D9992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D99941
SetCapture.USER32(?), ref: 00D9994A
ClientToScreen.USER32(?,?), ref: 00D999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D999D6
ReleaseCapture.USER32 ref: 00D999E1
GetCursorPos.USER32(?), ref: 00D99A19
ScreenToClient.USER32(?,?), ref: 00D99A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D99A80
SendMessageW.USER32 ref: 00D99AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D99AEB
SendMessageW.USER32 ref: 00D99B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D99B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D99B4A
GetCursorPos.USER32(?), ref: 00D99B68
ScreenToClient.USER32(?,?), ref: 00D99B75
GetParent.USER32(?), ref: 00D99B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D99BFA
SendMessageW.USER32 ref: 00D99C2B
ClientToScreen.USER32(?,?), ref: 00D99C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D99CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D99CDE
SendMessageW.USER32 ref: 00D99D01
ClientToScreen.USER32(?,?), ref: 00D99D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D99D82

Part of subcall function 00D19944: GetWindowLongW.USER32(?,000000EB), ref: 00D19952

GetWindowLongW.USER32(?,000000F0), ref: 00D99E05

Strings

@GUI_DRAGID, xrefs: 00D9997D
@U=u, xrefs: 00D9965B, 00D996C9, 00D996F2, 00D997AE, 00D997E9, 00D99810, 00D99918, 00D99A80, 00D99AAE, 00D99AEB, 00D99B1A, 00D99BFA, 00D99C2B, 00D99CDE, 00D99D01
F, xrefs: 00D99D07

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3429851547-1007936534
Opcode ID: 11a67f0d18fbda6674ddcf56fcc4b35e5b2754ebedc82ae5f8e39ae9d98e3c07
Instruction ID: c170114d305c6c54e8f1ddac8b302d2ab4e18113d5dbcb7a4ba74ebf8f65ee30
Opcode Fuzzy Hash: 11a67f0d18fbda6674ddcf56fcc4b35e5b2754ebedc82ae5f8e39ae9d98e3c07
Instruction Fuzzy Hash: E4425A35605341AFDB25CF68CCA4AAABBE5EF49310F14061EF599872A1D731E890CF71

Function 00D94873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D94908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D94927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D9494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D9495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D9497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D94A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D94A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D94A7E
IsMenu.USER32(?), ref: 00D94A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D94AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D94B20
GetWindowLongW.USER32(?,000000F0), ref: 00D94B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D94BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D94C82
wsprintfW.USER32 ref: 00D94CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D94CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D94CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D94D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D94D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D94D5A

Strings

@U=u, xrefs: 00D948F3, 00D94908, 00D9495C, 00D94A0F, 00D94A56, 00D94A7E, 00D94BE3, 00D94C82, 00D94CC9, 00D94D13, 00D94D33, 00D94E15, 00D94E4E, 00D94EA5, 00D94F10
%d/%02d/%02d, xrefs: 00D94CA8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: e8299f58eb54356ba3dfce4c66c80da1fef7e60f36dcc8cf8bca95dd09b1bbd1
Instruction ID: 739179df2d72894037eb9d27a974a546b70380f138c298c3672aede498684370
Opcode Fuzzy Hash: e8299f58eb54356ba3dfce4c66c80da1fef7e60f36dcc8cf8bca95dd09b1bbd1
Instruction Fuzzy Hash: 3F12AB71600215ABEF258F28CC49FAE7BE8EF45714F14412AF516EB2A2DB74D942CB70

Function 00D1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00D1F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D5F474
IsIconic.USER32(00000000), ref: 00D5F47D
ShowWindow.USER32(00000000,00000009), ref: 00D5F48A
SetForegroundWindow.USER32(00000000), ref: 00D5F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D5F4AA
GetCurrentThreadId.KERNEL32 ref: 00D5F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D5F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D5F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D5F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D5F4DE
SetForegroundWindow.USER32(00000000), ref: 00D5F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5F4F6
keybd_event.USER32(00000012,00000000), ref: 00D5F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5F50B
keybd_event.USER32(00000012,00000000), ref: 00D5F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5F519
keybd_event.USER32(00000012,00000000), ref: 00D5F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D5F528
keybd_event.USER32(00000012,00000000), ref: 00D5F52D
SetForegroundWindow.USER32(00000000), ref: 00D5F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D5F557

Strings

Shell_TrayWnd, xrefs: 00D5F46F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c1270fb8a71039e4a09b7755336560a65dc17b3cd67d5eb3320414ff530087d4
Instruction ID: 714186682ccf694c671c93a5e97e5abe4391f330d0102f0e2d0e84e0589777cd
Opcode Fuzzy Hash: c1270fb8a71039e4a09b7755336560a65dc17b3cd67d5eb3320414ff530087d4
Instruction Fuzzy Hash: 52317371A503187BEF206BB59C49FBF7E6CEB44B50F141026FA00EA2D1D6B09D00AA70

Function 00D61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D6170D
Part of subcall function 00D616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D6173A
Part of subcall function 00D616C3: GetLastError.KERNEL32 ref: 00D6174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D61286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D612A8
CloseHandle.KERNEL32(?), ref: 00D612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D612D1
GetProcessWindowStation.USER32 ref: 00D612EA
SetProcessWindowStation.USER32(00000000), ref: 00D612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D61310

Part of subcall function 00D610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D611FC), ref: 00D610D4
Part of subcall function 00D610BF: CloseHandle.KERNEL32(?,?,00D611FC), ref: 00D610E9

Strings

default, xrefs: 00D6130B
winsta0, xrefs: 00D612CC
, xrefs: 00D6125A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 36a544b2f229987615d1c6fb390d8128dda75d1ec8541e16120c4a5851e31db5
Instruction ID: ecd1b2e5c01451e9f72d921bc15585a05e4fe3330ee150e2cb1d50f330198628
Opcode Fuzzy Hash: 36a544b2f229987615d1c6fb390d8128dda75d1ec8541e16120c4a5851e31db5
Instruction Fuzzy Hash: 71816875A00309ABDF219FA4DC49BEE7BB9EF04704F18412AF911E62A0DB71A944CB71

Function 00D60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D61114
Part of subcall function 00D610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D61120
Part of subcall function 00D610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D6112F
Part of subcall function 00D610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D61136
Part of subcall function 00D610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D60BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D60C00
GetLengthSid.ADVAPI32(?), ref: 00D60C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D60C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D60C6D
GetLengthSid.ADVAPI32(?), ref: 00D60C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D60C8C
HeapAlloc.KERNEL32(00000000), ref: 00D60C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D60CB4
CopySid.ADVAPI32(00000000), ref: 00D60CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D60CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D60D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D60D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D60D45
HeapFree.KERNEL32(00000000), ref: 00D60D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D60D55
HeapFree.KERNEL32(00000000), ref: 00D60D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D60D65
HeapFree.KERNEL32(00000000), ref: 00D60D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D60D78
HeapFree.KERNEL32(00000000), ref: 00D60D7F

Part of subcall function 00D61193: GetProcessHeap.KERNEL32(00000008,00D60BB1,?,00000000,?,00D60BB1,?), ref: 00D611A1
Part of subcall function 00D61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D60BB1,?), ref: 00D611A8
Part of subcall function 00D61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D60BB1,?), ref: 00D611B7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 19dd359a2a8d9067753fee7b9358b6b0ad855b1e94b479dd7bf65bcfa0f5f024
Instruction ID: 474b194f01bb3d9563979c1b07c83952ef7a4e18fc8a20c317b6c6b520127308
Opcode Fuzzy Hash: 19dd359a2a8d9067753fee7b9358b6b0ad855b1e94b479dd7bf65bcfa0f5f024
Instruction Fuzzy Hash: 10712776A0020AABDF10DFA4DC45BEFBBB8AF05310F184616E919E7291D775AA05CF70

Function 00D7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D9CC08), ref: 00D7EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D7EB37
GetClipboardData.USER32(0000000D), ref: 00D7EB43
CloseClipboard.USER32 ref: 00D7EB4F
GlobalLock.KERNEL32(00000000), ref: 00D7EB87
CloseClipboard.USER32 ref: 00D7EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00D7EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D7EBC9
GetClipboardData.USER32(00000001), ref: 00D7EBD1
GlobalLock.KERNEL32(00000000), ref: 00D7EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00D7EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D7EC38
GetClipboardData.USER32(0000000F), ref: 00D7EC44
GlobalLock.KERNEL32(00000000), ref: 00D7EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D7EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D7EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D7ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00D7ECF3
CountClipboardFormats.USER32 ref: 00D7ED14
CloseClipboard.USER32 ref: 00D7ED59

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0f50e4e5da79bd73b5869cee32febe6d8178cdf1c8989a67cbd36f0fe15a2887
Instruction ID: 9e62ef9b6b2e630e39fad05e12b549cc2e62b6eb5b223ee9eea0bbfa15fa994b
Opcode Fuzzy Hash: 0f50e4e5da79bd73b5869cee32febe6d8178cdf1c8989a67cbd36f0fe15a2887
Instruction Fuzzy Hash: 1361B1342043019FD310EF24D895F6ABBA4EF88704F58959EF45AD72A2EB71D905CBB2

Function 00D7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D769BE
FindClose.KERNEL32(00000000), ref: 00D76A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D76A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D76A75

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D76AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D76ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D76B6A
%4d, xrefs: 00D76BB1
%03d, xrefs: 00D76DA2
%02d, xrefs: 00D76C00, 00D76C0A, 00D76C5A, 00D76CAA, 00D76CFA, 00D76D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D76B32

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 31056e69d83a8a6590bf8704eaeaba6ee0c492314002d107db49c8092349f248
Instruction ID: 66954ff664e6c2de7754dd127167831e7aa3fe87dd2d7c1526fc0d90fe966457
Opcode Fuzzy Hash: 31056e69d83a8a6590bf8704eaeaba6ee0c492314002d107db49c8092349f248
Instruction Fuzzy Hash: 5AD14FB2508340AEC714EBA4C991EABB7ECEF88704F44491DF589D7291EB74DA44CB72

Function 00D79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D79663
GetFileAttributesW.KERNEL32(?), ref: 00D796A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D796BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D796D3
FindClose.KERNEL32(00000000), ref: 00D796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D7974A
SetCurrentDirectoryW.KERNEL32(00DC6B7C), ref: 00D79768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D79772
FindClose.KERNEL32(00000000), ref: 00D7977F
FindClose.KERNEL32(00000000), ref: 00D7978F

Strings

*.*, xrefs: 00D796F5

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 52a373e8e8d892b6b186059b473d4e2b4cfee0f2ba0da0619484d2989ad7a6cf
Instruction ID: 0306a7842c750c6576ff3c046c46830b1eff20868574ce8117229f37f54b6bc6
Opcode Fuzzy Hash: 52a373e8e8d892b6b186059b473d4e2b4cfee0f2ba0da0619484d2989ad7a6cf
Instruction Fuzzy Hash: 2831A2325512196FDF14EFB4EC59EDEB7AC9F09321F148156F819E21A0EB30DE448A34

Function 00D7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D79819
FindClose.KERNEL32(00000000), ref: 00D79824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D79840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D79890
SetCurrentDirectoryW.KERNEL32(00DC6B7C), ref: 00D798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D798B8
FindClose.KERNEL32(00000000), ref: 00D798C5
FindClose.KERNEL32(00000000), ref: 00D798D5

Part of subcall function 00D6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D6DB00

Strings

*.*, xrefs: 00D7983B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3749ccc5b94ed43a78a09eab48899834897cec2e8bd21c5bb3be230639bad735
Instruction ID: 333e93987570a2c99be918baed987c1ef2ab06b83166d3c3fd839f9b26132205
Opcode Fuzzy Hash: 3749ccc5b94ed43a78a09eab48899834897cec2e8bd21c5bb3be230639bad735
Instruction Fuzzy Hash: 5831C3325406196EDF10EFB4EC58EDEB7ACDF06320F188196E818E21D0EB30DD458A75

Function 00D78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D78257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D78267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D78273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D78310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D78324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D78356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D7838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D78395

Strings

*.*, xrefs: 00D7839B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 31dd0b4b858a60281f7a8e19e8a724c0f42b4f7ebf85fd33eb674692e1d70a9a
Instruction ID: e219565436668571dce5bd48a63e2bcba9f0caa72c98bdbfed981de64d6c33b5
Opcode Fuzzy Hash: 31dd0b4b858a60281f7a8e19e8a724c0f42b4f7ebf85fd33eb674692e1d70a9a
Instruction Fuzzy Hash: B66137725083459FC710EF64C849AAEB3E8FF89314F04891EE999C7251EB31E945CBB2

Function 00D6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D03A97,?,?,00D02E7F,?,?,?,00000000), ref: 00D03AC2

Part of subcall function 00D6E199: GetFileAttributesW.KERNEL32(?,00D6CF95), ref: 00D6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D6D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D6D1DD
MoveFileW.KERNEL32(?,?), ref: 00D6D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D6D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D6D237

Part of subcall function 00D6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D6D21C,?,?), ref: 00D6D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D6D253
FindClose.KERNEL32(00000000), ref: 00D6D264

Strings

\*.*, xrefs: 00D6D0CD, 00D6D0D6, 00D6D0EB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 51cb64aef4cbcae4407b77bac2b35277bbc62a907556f8ed4ca19613f7ae7f6a
Instruction ID: 28bd644535be1034eca50d338f6a37e653f7a7eec7594835d01dc6cbec36fe86
Opcode Fuzzy Hash: 51cb64aef4cbcae4407b77bac2b35277bbc62a907556f8ed4ca19613f7ae7f6a
Instruction Fuzzy Hash: 3E615E31D0124D9BCF05EBA0E9A2AEEB776EF55300F644165E405B7192EB30AF09CB70

Function 00D7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D7ED91
EmptyClipboard.USER32 ref: 00D7ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D7EDAC
CloseClipboard.USER32 ref: 00D7EEA3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b428f3fbece7b80ea9e5016ccd54e93fdb401fce830393d07ee739e808b00f47
Instruction ID: e97ffebbc34e62a300b407b75fbdbc421c18f70d72ef4d1e9c95f262951066d4
Opcode Fuzzy Hash: b428f3fbece7b80ea9e5016ccd54e93fdb401fce830393d07ee739e808b00f47
Instruction Fuzzy Hash: 5641AD75204611AFE320DF15E888B69BBE5EF48318F18C49AE419CB7A2D735EC41CBB0

Function 00D6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D6170D
Part of subcall function 00D616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D6173A
Part of subcall function 00D616C3: GetLastError.KERNEL32 ref: 00D6174A

ExitWindowsEx.USER32(?,00000000), ref: 00D6E932

Strings

, xrefs: 00D6E95C
@, xrefs: 00D6E925
SeShutdownPrivilege, xrefs: 00D6E902
, xrefs: 00D6E920

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5ceee08649baf31f9116aae2ed0e53d7f22078ebc75fda43492ed2443da1e243
Instruction ID: 60f235b99940667a4cb24dce7d3fd79158e52cca15ae6ce19416e3ae5fcc8c3c
Opcode Fuzzy Hash: 5ceee08649baf31f9116aae2ed0e53d7f22078ebc75fda43492ed2443da1e243
Instruction Fuzzy Hash: 0D01D67A660311AFFB6467B49C86FBB736C9F14750F190423F802E21D2D6A19C4089B4

Function 00D81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D81276
WSAGetLastError.WSOCK32 ref: 00D81283
bind.WSOCK32(00000000,?,00000010), ref: 00D812BA
WSAGetLastError.WSOCK32 ref: 00D812C5
closesocket.WSOCK32(00000000), ref: 00D812F4
listen.WSOCK32(00000000,00000005), ref: 00D81303
WSAGetLastError.WSOCK32 ref: 00D8130D
closesocket.WSOCK32(00000000), ref: 00D8133C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cd1b60a4b9eb8b09035a1589006a99e1ef0750d357aec8cbf9cda44932556a0f
Instruction ID: 5bdd8887fbf440dcd12aa4dcc8d4f70153ac395096e6288f55b5bd149e048051
Opcode Fuzzy Hash: cd1b60a4b9eb8b09035a1589006a99e1ef0750d357aec8cbf9cda44932556a0f
Instruction Fuzzy Hash: 6C4181356002109FD710EF64C489B69BBE9EF46318F188189D8568F3D6C771ED86CBB1

Function 00D3B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D3B9D4
_free.LIBCMT ref: 00D3B9F8
_free.LIBCMT ref: 00D3BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00DA3700), ref: 00D3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00DD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00D3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00DD1270,000000FF,?,0000003F,00000000,?), ref: 00D3BC36
_free.LIBCMT ref: 00D3BD4B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 08f4b7fe5c266e531e7afd8e460eb864a15565607b7b6a972bcd461065e12a94
Instruction ID: 7458a16f574ff8e8a37abefb295a38acf411d49721fa5b70818777cb06481a1d
Opcode Fuzzy Hash: 08f4b7fe5c266e531e7afd8e460eb864a15565607b7b6a972bcd461065e12a94
Instruction Fuzzy Hash: 86C10471A04205AFDB20DF789C51BAABBB8EF41330F1841ABE695D7251EB719E41CB70

Function 00D6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D03A97,?,?,00D02E7F,?,?,?,00000000), ref: 00D03AC2

Part of subcall function 00D6E199: GetFileAttributesW.KERNEL32(?,00D6CF95), ref: 00D6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D6D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D6D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D6D481
FindClose.KERNEL32(00000000), ref: 00D6D498
FindClose.KERNEL32(00000000), ref: 00D6D4A1

Strings

\*.*, xrefs: 00D6D3F2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 484887dd9f952906ed270fe4f189eb3606d5b3eae2d76d7d4619296fc6aea924
Instruction ID: c5d6001fd0ce01a5b447633759dea91c80a05bcb02ba433ae750c9dfccf8d298
Opcode Fuzzy Hash: 484887dd9f952906ed270fe4f189eb3606d5b3eae2d76d7d4619296fc6aea924
Instruction Fuzzy Hash: 87314D715183459BC204EF64D891AAFB7A8EE91314F444A1EF4D5922D1EB30EA098B76

Function 00D3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D3E645

Strings

1#QNAN, xrefs: 00D3F84B
1#SNAN, xrefs: 00D3F844
1#INF, xrefs: 00D3F852
1#IND, xrefs: 00D3F83D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b48ab6cfe5e93754a27419c735914258e7104d888814b7d3108c1adb02958e13
Instruction ID: 036107112788c88f8c69e148002202816861f085979dba606d2ddfcaa1962aba
Opcode Fuzzy Hash: b48ab6cfe5e93754a27419c735914258e7104d888814b7d3108c1adb02958e13
Instruction Fuzzy Hash: 94C23C72E086298FDB25CF28DD407EAB7B5EB45305F1841EAD44DE7281E774AE818F60

Function 00D7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D764DC
CoInitialize.OLE32(00000000), ref: 00D76639
CoCreateInstance.OLE32(00D9FCF8,00000000,00000001,00D9FB68,?), ref: 00D76650
CoUninitialize.OLE32 ref: 00D768D4

Strings

.lnk, xrefs: 00D764BA, 00D76524, 00D765E0

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 970915a42c4d4a22a29b8e927f6cc203420da92e3642603158b63ca7457a6417
Instruction ID: 0ca46ac35bcd452d0b1ccf4bd1e41a643888a5483b7c39a90943a4e960702c93
Opcode Fuzzy Hash: 970915a42c4d4a22a29b8e927f6cc203420da92e3642603158b63ca7457a6417
Instruction Fuzzy Hash: 7ED139715087019FD304EF24C891A6BB7E9FF94704F44896DF5998B291EB70E909CBB2

Function 00D822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D822E8

Part of subcall function 00D7E4EC: GetWindowRect.USER32(?,?), ref: 00D7E504

GetDesktopWindow.USER32 ref: 00D82312
GetWindowRect.USER32(00000000), ref: 00D82319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D82355
GetCursorPos.USER32(?), ref: 00D82381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D823DF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9779b3d9a020a80776cd0ab77c3f11823c6ff3d47777b16e43a082ba159487ee
Instruction ID: a68cbb56f1af88c3ebda60456befcd86b0cf9a9b7b53693772bb20736d000ade
Opcode Fuzzy Hash: 9779b3d9a020a80776cd0ab77c3f11823c6ff3d47777b16e43a082ba159487ee
Instruction Fuzzy Hash: EF31AF72504315AFD720EF54C845A6BB7A9FF84314F00091EF985D7291DB34E908CBA2

Function 00D79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D79B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D79C8B

Part of subcall function 00D73874: GetInputState.USER32 ref: 00D738CB
Part of subcall function 00D73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D73966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D79BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D79C75

Strings

*.*, xrefs: 00D79B5D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 0b517abb87c1a38f4de1c964f1d160657257493853ad5dba27a2c5d70fa94a39
Instruction ID: 62d495124e78d6047097f88907b6b8e8f50a1f7a21385e9dbea52fa51e771be0
Opcode Fuzzy Hash: 0b517abb87c1a38f4de1c964f1d160657257493853ad5dba27a2c5d70fa94a39
Instruction Fuzzy Hash: 8641427290421AAFDF15DF64D995BEEBBB8EF05310F148156E409A3291EB309E84CF74

Function 00D1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00D19A4E
GetSysColor.USER32(0000000F), ref: 00D19B23
SetBkColor.GDI32(?,00000000), ref: 00D19B36

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 23fb635bbe8510d9690aa46673cc261a9bb5c3c79e79f4cdcf405d934b2df6e8
Instruction ID: df4d4d8a14c559312adfcc7dcf4cbc3c839682da700b5fe45c08f02a27b49739
Opcode Fuzzy Hash: 23fb635bbe8510d9690aa46673cc261a9bb5c3c79e79f4cdcf405d934b2df6e8
Instruction Fuzzy Hash: 0AA13D70209544BEEB249A3CBCB8EFBB69DDF46351F280109FC52C6691CE25DD89D271

Function 00D81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D8307A
Part of subcall function 00D8304E: _wcslen.LIBCMT ref: 00D8309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D8185D
WSAGetLastError.WSOCK32 ref: 00D81884
bind.WSOCK32(00000000,?,00000010), ref: 00D818DB
WSAGetLastError.WSOCK32 ref: 00D818E6
closesocket.WSOCK32(00000000), ref: 00D81915

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 07933d643e0b0e4c6ee44262743231c8b7044d4f4963fc92e117cf471cf5df1a
Instruction ID: 1510bbcf67b3ea12d559608902c7ad713af71cfe52a301ba1a627fe68b816945
Opcode Fuzzy Hash: 07933d643e0b0e4c6ee44262743231c8b7044d4f4963fc92e117cf471cf5df1a
Instruction Fuzzy Hash: A651A475A002106FD710AF24C886F6A77E5EB48718F088058F9599F3D3CB71ED428BB1

Function 00D91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D91CC0
IsWindowEnabled.USER32 ref: 00D91CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D91CDB
IsIconic.USER32 ref: 00D91CE9
IsZoomed.USER32 ref: 00D91CF7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6f291f74ea771d5da192f076c4b14bba56331a788df650649b914daad27cea2b
Instruction ID: 71a447c5bac27c0f357136eece0c3a935b1747ee9b40993450bc6685a6f6fd08
Opcode Fuzzy Hash: 6f291f74ea771d5da192f076c4b14bba56331a788df650649b914daad27cea2b
Instruction Fuzzy Hash: AE21B5357402125FDB208F1AD844B6ABBE5EF85315F1D9059E84ACB351CB71EC42CBB0

Function 00D08060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D083FA
VUUU, xrefs: 00D0843C
VUUU, xrefs: 00D083E8
VUUU, xrefs: 00D45DF0
ERCP, xrefs: 00D0813C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d14b7aa0d91357a7f2197843000090ac555f5c6b750406282368baec17f15ee3
Instruction ID: 8270cc6852cd8500538348218ada136f2aefb19083bfa73459d79ad00b40ce65
Opcode Fuzzy Hash: d14b7aa0d91357a7f2197843000090ac555f5c6b750406282368baec17f15ee3
Instruction Fuzzy Hash: 1FA27070E0061ACBDF24CF58C8847ADB7B1BF55310F2881A9E89AA7285DB71DD81DF61

Function 00D8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D8A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D8A6BA

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D8A79C
CloseHandle.KERNEL32(00000000), ref: 00D8A7AB

Part of subcall function 00D1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00D43303,?), ref: 00D1CE8A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f33e3dc020dac9e68bcee18af8767d4717fc269282d2aba1771bd6dfb3ed9b1d
Instruction ID: 0fb421bb13e80a612c755b13eb09b0a7a6d78a29afd5855cfe4c4696087b96cb
Opcode Fuzzy Hash: f33e3dc020dac9e68bcee18af8767d4717fc269282d2aba1771bd6dfb3ed9b1d
Instruction Fuzzy Hash: CA514EB1508301AFD710EF24D886A6BBBE8FF89754F44491DF58997292EB70D904CBB2

Function 00D6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D6AAAC
SetKeyboardState.USER32(00000080), ref: 00D6AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D6AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D6AB88

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0f7bdd942b6d012e2b2b0c64c0d82ad529d359aefe4d04a34042990ab60465b2
Instruction ID: 433657cb89daebd8a299abbb38c0c1bff2ee810f745e210b05131d5fef3a387f
Opcode Fuzzy Hash: 0f7bdd942b6d012e2b2b0c64c0d82ad529d359aefe4d04a34042990ab60465b2
Instruction Fuzzy Hash: 6F31F830A40258AFFB35CA6D8C15BFE7BAAAB45310F08421BF5D1A61D1D3758D81CB72

Function 00D7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D7CE89
GetLastError.KERNEL32(?,00000000), ref: 00D7CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D7CEFE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 23e46a4d557806eb28f87ea821998ec6072abd6167a190a3b29a7b2105728d3d
Instruction ID: 59dc93a0e537b9801b1310b4f8af1eb944169f8da8f78dc6eba11de2812123d7
Opcode Fuzzy Hash: 23e46a4d557806eb28f87ea821998ec6072abd6167a190a3b29a7b2105728d3d
Instruction Fuzzy Hash: AC21BAB1610705AFEB20DFA5D948BA7B7F8EF10318F14941EE98AD2251E770EE448B74

Function 00D68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D682AA

Strings

(, xrefs: 00D682F0
|, xrefs: 00D682DA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7f32ceca1bf28ed8a6941e468c3e40c35ed6ce539cc1262992945c4b870f7a2d
Instruction ID: 45814f84936cf1350042ddc28e0dfff6d1d80362b3c98e00bcd2ae467bf768b6
Opcode Fuzzy Hash: 7f32ceca1bf28ed8a6941e468c3e40c35ed6ce539cc1262992945c4b870f7a2d
Instruction Fuzzy Hash: 19322474A007059FCB28CF59C481A6AB7F0FF48710B15C56EE49ADB3A1EB70E981CB64

Function 00D75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D75CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D75D17
FindClose.KERNEL32(?), ref: 00D75D5F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 4f2a7cc2c9ed413d6d4c825e6672618f6e1fc190473f87e820b0e6cce6ce2768
Instruction ID: db2f94e92ccb22e4735ee5f251a52ccd8b1127f9c91f8a861847e6fc3dd57b47
Opcode Fuzzy Hash: 4f2a7cc2c9ed413d6d4c825e6672618f6e1fc190473f87e820b0e6cce6ce2768
Instruction Fuzzy Hash: 065179746047019FC714CF28E494E96B7E4FF49314F18855EE99A8B3A1DB70ED44CBA2

Function 00D32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00D3271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D32724
UnhandledExceptionFilter.KERNEL32(?), ref: 00D32731

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0e2f34da262a24b3138d6293290d597459680fd1a474005486785d86484defc4
Instruction ID: 4650ffb7a6929ddf11e8c4153c0d6765eb3e31082d662d91137edb38bd245478
Opcode Fuzzy Hash: 0e2f34da262a24b3138d6293290d597459680fd1a474005486785d86484defc4
Instruction Fuzzy Hash: 3D31B474951328ABCB21DF64DC89799BBB8FF18310F5041EAE41CA6261E7309F818F65

Function 00D751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D75238
SetErrorMode.KERNEL32(00000000), ref: 00D752A1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 843269d45ac3b87885642ce098f1912624626fb076bdf4224bf0867fca3253c5
Instruction ID: 62e9312cb664dbca2d409a14d8c9a56ec37b044676a6ed405be6fda9e254811c
Opcode Fuzzy Hash: 843269d45ac3b87885642ce098f1912624626fb076bdf4224bf0867fca3253c5
Instruction Fuzzy Hash: 5E316D75A106199FDB00DF54D884EADBBB4FF49314F088099E809AB3A6DB31E846CB65

Function 00D616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D20668
Part of subcall function 00D1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D20685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D6170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D6173A
GetLastError.KERNEL32 ref: 00D6174A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a175b21d84d2631468a749ff35343203387db006e3d27b3e6d846ea51f2ffa15
Instruction ID: c3fc4aea4adb0dd2b2c1866c2cb640f0f2ee30c690982b4126f04cbac1926304
Opcode Fuzzy Hash: a175b21d84d2631468a749ff35343203387db006e3d27b3e6d846ea51f2ffa15
Instruction Fuzzy Hash: 1A1191B2414304BFD7189F54EC86DAAB7B9EB44714B24852EF05697241EB70FC418B30

Function 00D6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D6D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D6D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D6D650

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0bfa068156867ac01b1b41713dff4e4f1e0aae9a4a9d1a6018d600a3cd703486
Instruction ID: eb859e4c0f5026ca7f0201533d52c61ae7de9e15c93376ca7a03bb5f8a52c110
Opcode Fuzzy Hash: 0bfa068156867ac01b1b41713dff4e4f1e0aae9a4a9d1a6018d600a3cd703486
Instruction Fuzzy Hash: 44115E75E45328BFDB108F95EC45FAFBBBCEB45B50F108116F904E7290D6704A058BA1

Function 00D61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D6168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D616A1
FreeSid.ADVAPI32(?), ref: 00D616B1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 87393554815a6f16073f0e6c02cfc2da254de24336d877c11585fadc27bf1fb3
Instruction ID: 3bc5383c88a2e21e48395629230e5651a6acde158ae86b08959013111ab797e3
Opcode Fuzzy Hash: 87393554815a6f16073f0e6c02cfc2da254de24336d877c11585fadc27bf1fb3
Instruction Fuzzy Hash: FEF0F475950309FBDB00DFE4DD8AAAEBBBCEB08604F504565E501E2291E774AA448A60

Function 00D24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00D328E9,?,00D24CBE,00D328E9,00DC88B8,0000000C,00D24E15,00D328E9,00000002,00000000,?,00D328E9), ref: 00D24D09
TerminateProcess.KERNEL32(00000000,?,00D24CBE,00D328E9,00DC88B8,0000000C,00D24E15,00D328E9,00000002,00000000,?,00D328E9), ref: 00D24D10
ExitProcess.KERNEL32 ref: 00D24D22

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6ec602036e82f888a7833b122ee8909032ed74079158288c94b729b1d3c8cf38
Instruction ID: 7cd35a381a8b9ed843a5c57f17da9819cbed94a282e6ca0561b4d316c10501df
Opcode Fuzzy Hash: 6ec602036e82f888a7833b122ee8909032ed74079158288c94b729b1d3c8cf38
Instruction Fuzzy Hash: 92E0B631010258AFCF11AF54EE0AA583B69EB91B95F144015FC09DB222CB35DD42CAB0

Function 00D3C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00D3C36C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 78ac5aab781beb357d50d32cabde85283cf32fd36cc71c454f39c1e4e72066f0
Instruction ID: 1c2982e361c167b051dc3e2f3deb1fea0d7f6cfed6763c21b8fb66d3998e85f0
Opcode Fuzzy Hash: 78ac5aab781beb357d50d32cabde85283cf32fd36cc71c454f39c1e4e72066f0
Instruction Fuzzy Hash: 37413976900219AFCB20DFB9DC89EBB77B8EB84314F144269F915E7180E671AD81CB74

Function 00D5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D5D28C

Strings

X64, xrefs: 00D5D2A8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: fd4a2b4e517ad716db3d9271c761217c9a8df4f65611062a977c8a77bf3ed4e1
Instruction ID: a94ca27e2890fb7f80ccc2d0567e8cdf58a45c5525c8ce895fd8d29b65d49d68
Opcode Fuzzy Hash: fd4a2b4e517ad716db3d9271c761217c9a8df4f65611062a977c8a77bf3ed4e1
Instruction Fuzzy Hash: B2D092B4811119FACBA08A90EC889D9B27CBB04305F100152E546A2100DB7095488B30

Function 00D2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 5b810d31e5e989c7aa15ae5bf428604899ab5a179a9c9cfbc9284dd3adf84da0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 0C023D71E111299BDF14CFA9D9806ADFBF1EF58314F29416AE819E7380D731AE418BA0

Function 00D768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D76918
FindClose.KERNEL32(00000000), ref: 00D76961

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86b602d4d177c7900a66f1c0bb8f63f54a324547a39e64089d9d2f8e3cc96f93
Instruction ID: 74d238c3187ecab3f8dc743380f7ca6231afc513002a6ef38adccda42b07585b
Opcode Fuzzy Hash: 86b602d4d177c7900a66f1c0bb8f63f54a324547a39e64089d9d2f8e3cc96f93
Instruction Fuzzy Hash: D511D0716146019FC710CF29C888B16BBE0FF84328F08C699E5698F3A2DB30EC05CBA1

Function 00D737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D84891,?,?,00000035,?), ref: 00D737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D84891,?,?,00000035,?), ref: 00D737F4

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e7fca38ad39870b7f710855d80e1ece200c4a574f0c6bf9df23acf5221867f44
Instruction ID: 24fe962d48ed6440a185523267c4995b2be96860949aa60741bac9284cff4687
Opcode Fuzzy Hash: e7fca38ad39870b7f710855d80e1ece200c4a574f0c6bf9df23acf5221867f44
Instruction Fuzzy Hash: A0F0E5B16043282BEB2017668C4DFEB7BAEEFC4761F000165F509D2291D9609944C7B0

Function 00D6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D6B25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00D6B270

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c965f49ff6c62eacfe1bc1406d3d811eeefd7d0298813e9fbb2fb0e1d403a487
Instruction ID: a0301282f1d5bdad6201b28d81a7a8d7eadf98d5da952881ee93657400ca6a6b
Opcode Fuzzy Hash: c965f49ff6c62eacfe1bc1406d3d811eeefd7d0298813e9fbb2fb0e1d403a487
Instruction Fuzzy Hash: 45F06D7080428DABDB058FA0C805BAE7BB0FF08315F00800AF951E5192C379C2019FA4

Function 00D610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D611FC), ref: 00D610D4
CloseHandle.KERNEL32(?,?,00D611FC), ref: 00D610E9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fd112181242b9de0a966e057cd5837d53cb65e99f154ee56d69b7f1d0929d1b2
Instruction ID: ac52c7ba96c58560a6701464989d7573ee3205dc7b5a640f9862c48c26a2fef4
Opcode Fuzzy Hash: fd112181242b9de0a966e057cd5837d53cb65e99f154ee56d69b7f1d0929d1b2
Instruction Fuzzy Hash: 51E0BF72018710BFE7252B51FC05EB777A9EB04310F14882EF5A5805B1DB626CE0DB70

Function 00D0CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00D50C40

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8f9a11812348786dfa832c4d634708fd3fd6b0fc18babb33c2e660b773e3fe46
Instruction ID: 5e42dd4849fa3d5a9af8b80da3d8631612e2b731973d1fed78e5532f3eba905c
Opcode Fuzzy Hash: 8f9a11812348786dfa832c4d634708fd3fd6b0fc18babb33c2e660b773e3fe46
Instruction Fuzzy Hash: 0B329C709102199BDF14DF94C881BEDBBB5FF05304F289159EC0AAB292DB71AD49CB71

Function 00D3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D36766,?,?,00000008,?,?,00D3FEFE,00000000), ref: 00D36998

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7bee887fb4ce41b0fe686690c6b1da716c68f0030d2db1a1f65e296e13740647
Instruction ID: 14e18e017f10ff8fc9bfa84b8c9434cdb05cfd01f03795cb0c65ddfb78a79dad
Opcode Fuzzy Hash: 7bee887fb4ce41b0fe686690c6b1da716c68f0030d2db1a1f65e296e13740647
Instruction Fuzzy Hash: B9B13A71610608AFD715CF28C48AB657BE0FF49364F29C658E8D9CF2A2C735E991CB60

Function 00D1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00D5851F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 89961241312da2a296cd1fb9a4430811b58ab0c836ed54b82fbd9d0a46b6ba4f
Instruction ID: 6b383ab3a11eb1933e1b5a9b6e0ecc68a5b21eae6a54fc695b161519c01b7d11
Opcode Fuzzy Hash: 89961241312da2a296cd1fb9a4430811b58ab0c836ed54b82fbd9d0a46b6ba4f
Instruction Fuzzy Hash: BD125E75A002299FDF14CF58D8806EEB7B5FF48710F14819AE849EB255EB309E85DFA0

Function 00D7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D7EABD

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2b1e2007432820278ef7354561a076bd19090d453092d5310a32005b44dd34a4
Instruction ID: 1a21d382d0452317137548b9a688e33591e8cfe51d4375a751080a012e7a8193
Opcode Fuzzy Hash: 2b1e2007432820278ef7354561a076bd19090d453092d5310a32005b44dd34a4
Instruction Fuzzy Hash: 8AE01A312102049FC710EF59D804E9ABBE9EF98760F00845AFC49C73A1DA70E8408BB1

Function 00D209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00D203EE), ref: 00D209DA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 31eace2984c304f9239e8b09b01ce77139f19ce055e0cb046ac4a18badc59bfe
Instruction ID: 26e3fdf8c3dfa5806bb94f873582773f6022c73ebdfeef33c0f5b629a3575219
Opcode Fuzzy Hash: 31eace2984c304f9239e8b09b01ce77139f19ce055e0cb046ac4a18badc59bfe
Instruction Fuzzy Hash:

Function 00D2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00D2798B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5384a3e8ddbe890f9530e65f9cccc07fca923226001f1bfebddf7042c5b7a801
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2B51677160C7355BDB388578B85A7BEA389DB3230CF1C0509E986D7282C615DE81EB72

Function 00D36DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5acbc3d9eb33947f3778bb13b4e7aef2b8799cfb2454dd23088d0cca5da6bc
Instruction ID: 59bb3e08f0e05a74d09325c0873599439998061fe0f4f8d4409a66e840d50b1f
Opcode Fuzzy Hash: 5f5acbc3d9eb33947f3778bb13b4e7aef2b8799cfb2454dd23088d0cca5da6bc
Instruction Fuzzy Hash: D6322362D29F014DD7239639D822336A289AFB73C5F15C737F81AB5EA6EB29C5C34110

Function 00D1CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11db34daae22a12ebd0360430d656de959e6b8a8de342d8d8ab60ad92810310
Instruction ID: 67f60ca94c357fbb05571f2d0e95753b76fba3ea9910cea219d804bfe01e01e5
Opcode Fuzzy Hash: b11db34daae22a12ebd0360430d656de959e6b8a8de342d8d8ab60ad92810310
Instruction Fuzzy Hash: 26322A31A203059FCF24CF68D4906BD7BA2EB85302F2CA566DC89D7291E630DD89DB71

Function 00D07920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc9a0bfce133fd94ddd115e894ce3242b90006686b5b3394b0da204d366f4ef
Instruction ID: 31841694198a11aaa05ef8d869d4145291683698b914903167c624ea20a68d02
Opcode Fuzzy Hash: ebc9a0bfce133fd94ddd115e894ce3242b90006686b5b3394b0da204d366f4ef
Instruction Fuzzy Hash: 17228F70E0460A9FDF14CF64E881BAEB7B5FF44300F144529E85AAB296EB35E951CB70

Function 00D091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63e09abcc12c9f8336aeb512a6cb8514fb3e5cdc300433f9d2da58e0e81eabc
Instruction ID: b34e7dc15e706fa5cc461cd5c6d4b5123d0eb96e57d65768215640c342483320
Opcode Fuzzy Hash: b63e09abcc12c9f8336aeb512a6cb8514fb3e5cdc300433f9d2da58e0e81eabc
Instruction Fuzzy Hash: C30295B0E00206FBDB04DF64D881AADB7B5FF44304F558169F85A9B291EB31EA50CBB5

Function 00D219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9ede124cd2492677ad2c4a718ee8ad80ea34a0da8d40c0cfd84ad1ec81e61f2b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2991927A2090B30ADB29467AA57403EFFF15AB23A931E87ADD4F2CA1C1FD14C5599630

Function 00D27A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fe16ffad5740c4b366edf30b73ff3343bbd7fe8480677f50d1d64199fe16fd
Instruction ID: d2bbc4aaf4c8cf01e0ad748712ec8835622654ffeb71d35f69793a4f4ddab906
Opcode Fuzzy Hash: 83fe16ffad5740c4b366edf30b73ff3343bbd7fe8480677f50d1d64199fe16fd
Instruction Fuzzy Hash: E361893160C73996DF389A28BC95BBF2394DF7131CF180959E886DB281DA11DE42D735

Function 00D27CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678f38b91ff6982cd64a054ce0ee55109dbb27c7d90bdbec57fe810a1142fdd2
Instruction ID: cab982df02f0d64077fa6bd4f584d7b4287cbc9180d2b7c8b9a5ee5d96303506
Opcode Fuzzy Hash: 678f38b91ff6982cd64a054ce0ee55109dbb27c7d90bdbec57fe810a1142fdd2
Instruction Fuzzy Hash: 4F61797560873AD7DE384A287851BBF2384EF7270CF180959F982DB281DA12ED429676

Function 00D21706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: ccba9b90b395bbf16521d98b0b61b45b89db920fa3c7afe837dc1825cccf5279
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D181867A6080B349DB2D423A957403EFFE15AB23A931E879DD4F2CB1C1EE24C558DA30

Function 038F3610 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 772aeff934e9b387cfdebb6e2965c5b7dbf7250ef2150805809ec39ea808923d
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 6841C2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40

Function 00D72046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37de3075475596562d9be3b7b1dd4a389f57b3dfc607574c4b3424575b584452
Instruction ID: ab5a707f2af7575969cad2eabedd4775bade7575bb84cbb623193d7e4d7aa1d4
Opcode Fuzzy Hash: 37de3075475596562d9be3b7b1dd4a389f57b3dfc607574c4b3424575b584452
Instruction Fuzzy Hash: DF21A8326216518BD728CF79C81367E73E5A764310F198A2EE4A7C37D0DE35E904C760

Function 038F3500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: cae1d4e49569d7c65e58da6b32cb80b1a4ff98eda3982b96f3bccf2abda0d2f9
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: B4018078A05209EFCB44DF98C5909AEF7B5FB88210F2485D9D919A7701E730AE51DB80

Function 038F34A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 4f1c859135f4f764c2330512eda7d2fbf5b40c7e34076b4d1cb4ba0053c1a544
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 7A01C078A00208EFCB44DF98C5809AEF7B5FB98210F2481D9D909E7300D730EE41DB80

Function 038F1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362629773.00000000038F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_38f0000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00D82ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D82B30
DeleteObject.GDI32(00000000), ref: 00D82B43
DestroyWindow.USER32 ref: 00D82B52
GetDesktopWindow.USER32 ref: 00D82B6D
GetWindowRect.USER32(00000000), ref: 00D82B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D82CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D82CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82CF8
GetClientRect.USER32(00000000,?), ref: 00D82D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D82D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82DA8
GlobalFree.KERNEL32(00000000), ref: 00D82DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D9FC38,00000000), ref: 00D82DDB
GlobalFree.KERNEL32(00000000), ref: 00D82DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D82E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D82E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D82E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D8303F

Strings

DISPLAY, xrefs: 00D82EA2
AutoIt v3, xrefs: 00D82CF2
static, xrefs: 00D82D3A, 00D82E91
, xrefs: 00D82FC5
@U=u, xrefs: 00D82E30, 00D82FBF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 92434cd23feec7a8bd1760bbf46350cc47e03bcd9bedbe151b27d44d8062fac8
Instruction ID: 2c32c1b507ec68a16b05854e5180eacda8d048c2a4016b4ecfafb2bdf194c19d
Opcode Fuzzy Hash: 92434cd23feec7a8bd1760bbf46350cc47e03bcd9bedbe151b27d44d8062fac8
Instruction Fuzzy Hash: 7C025A75A10205AFDB14DFA4CC89EAE7BB9EF48714F048159F919EB2A1DB70AD01CB70

Function 00D970D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D9712F
GetSysColorBrush.USER32(0000000F), ref: 00D97160
GetSysColor.USER32(0000000F), ref: 00D9716C
SetBkColor.GDI32(?,000000FF), ref: 00D97186
SelectObject.GDI32(?,?), ref: 00D97195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D971C0
GetSysColor.USER32(00000010), ref: 00D971C8
CreateSolidBrush.GDI32(00000000), ref: 00D971CF
FrameRect.USER32(?,?,00000000), ref: 00D971DE
DeleteObject.GDI32(00000000), ref: 00D971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D97230
FillRect.USER32(?,?,?), ref: 00D97262
GetWindowLongW.USER32(?,000000F0), ref: 00D97284

Part of subcall function 00D973E8: GetSysColor.USER32(00000012), ref: 00D97421
Part of subcall function 00D973E8: SetTextColor.GDI32(?,?), ref: 00D97425
Part of subcall function 00D973E8: GetSysColorBrush.USER32(0000000F), ref: 00D9743B
Part of subcall function 00D973E8: GetSysColor.USER32(0000000F), ref: 00D97446
Part of subcall function 00D973E8: GetSysColor.USER32(00000011), ref: 00D97463
Part of subcall function 00D973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D97471
Part of subcall function 00D973E8: SelectObject.GDI32(?,00000000), ref: 00D97482
Part of subcall function 00D973E8: SetBkColor.GDI32(?,00000000), ref: 00D9748B
Part of subcall function 00D973E8: SelectObject.GDI32(?,?), ref: 00D97498
Part of subcall function 00D973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D974B7
Part of subcall function 00D973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D974CE
Part of subcall function 00D973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D974DB

Strings

@U=u, xrefs: 00D972CC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 987fa882fc0f07eab285d0f38dddc176eebd6e274a3a1774d9981f0d1c870579
Instruction ID: 3c24541cce74c1d37e819fa7880f8f264ebc26078f26fdcd7022cf9fcd0da40a
Opcode Fuzzy Hash: 987fa882fc0f07eab285d0f38dddc176eebd6e274a3a1774d9981f0d1c870579
Instruction Fuzzy Hash: DAA18172028301BFDB119F64DC48A5B7BA9FF49320F141A1AF9A2E62E1D771E944CB71

Function 00D18D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D18E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D56AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D56AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D56F43

Part of subcall function 00D18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D18BE8,?,00000000,?,?,?,?,00D18BBA,00000000,?), ref: 00D18FC5

SendMessageW.USER32(?,00001053), ref: 00D56F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D56F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D56FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D56FB7

Strings

0, xrefs: 00D56DCF
@U=u, xrefs: 00D56AC5, 00D56BD6, 00D56EBF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 080d87423c1a92f38cf7494d643236f4ebb702921aa3cc1c0629aa60dc6ede8a
Instruction ID: cd25dcbb23e012ac24f4b38437285a93c55c05b79119022d152fdee4014812a6
Opcode Fuzzy Hash: 080d87423c1a92f38cf7494d643236f4ebb702921aa3cc1c0629aa60dc6ede8a
Instruction Fuzzy Hash: A8128B74601201AFDB25CF24D854BA5BBF1FB45302F98446AF895CB262CB32E895DF71

Function 00D82711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D8273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D8286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D82900
GetClientRect.USER32(00000000,?), ref: 00D8290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D82955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D82964
GetStockObject.GDI32(00000011), ref: 00D82974
SelectObject.GDI32(00000000,00000000), ref: 00D82978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D82988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D82991
DeleteDC.GDI32(00000000), ref: 00D8299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D82A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D82A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D82A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D82A77
GetStockObject.GDI32(00000011), ref: 00D82A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D82A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D82A97

Strings

msctls_progress32, xrefs: 00D82A13
DISPLAY, xrefs: 00D8295A
AutoIt v3, xrefs: 00D828F8
static, xrefs: 00D8294F, 00D82A71
@U=u, xrefs: 00D829CC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 72aa986780c49d60c811802c06b0fc87a50793c0c0dca4f17346b3580cd5d0e7
Instruction ID: 3bf4cd777c193e5b6851ae1d9b58020f58e8ef818a93f62431c5d42ad12384d7
Opcode Fuzzy Hash: 72aa986780c49d60c811802c06b0fc87a50793c0c0dca4f17346b3580cd5d0e7
Instruction Fuzzy Hash: 4CB13975A10215AFEB14DFA8DC49FAE7BA9EB08710F008255F915EB2E0D770AD40CBB4

Function 00D973E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D97421
SetTextColor.GDI32(?,?), ref: 00D97425
GetSysColorBrush.USER32(0000000F), ref: 00D9743B
GetSysColor.USER32(0000000F), ref: 00D97446
CreateSolidBrush.GDI32(?), ref: 00D9744B
GetSysColor.USER32(00000011), ref: 00D97463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D97471
SelectObject.GDI32(?,00000000), ref: 00D97482
SetBkColor.GDI32(?,00000000), ref: 00D9748B
SelectObject.GDI32(?,?), ref: 00D97498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D9752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D97554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D97572
DrawFocusRect.USER32(?,?), ref: 00D9757D
GetSysColor.USER32(00000011), ref: 00D9758E
SetTextColor.GDI32(?,00000000), ref: 00D97596
DrawTextW.USER32(?,00D970F5,000000FF,?,00000000), ref: 00D975A8
SelectObject.GDI32(?,?), ref: 00D975BF
DeleteObject.GDI32(?), ref: 00D975CA
SelectObject.GDI32(?,?), ref: 00D975D0
DeleteObject.GDI32(?), ref: 00D975D5
SetTextColor.GDI32(?,?), ref: 00D975DB
SetBkColor.GDI32(?,?), ref: 00D975E5

Strings

@U=u, xrefs: 00D9752A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: ee24f9420f40b5f6e250b565391c796ab4c84d78a109bc5e418f84b605eeb180
Instruction ID: 5d452c8adacba9bd3ebc826a5a58ee60fa5b8f015d69ac46e7d5cfff7e2d373f
Opcode Fuzzy Hash: ee24f9420f40b5f6e250b565391c796ab4c84d78a109bc5e418f84b605eeb180
Instruction Fuzzy Hash: 04615A72910218AFDF019FA4DC49AEEBFB9EB08320F155116F915FB2A1D770A940CBA0

Function 00D74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D74AED
GetDriveTypeW.KERNEL32(?,00D9CB68,?,\\.\,00D9CC08), ref: 00D74BCA
SetErrorMode.KERNEL32(00000000,00D9CB68,?,\\.\,00D9CC08), ref: 00D74D36

Strings

SSA, xrefs: 00D74CA6
MMC, xrefs: 00D74CDE
USB, xrefs: 00D74CB4
Fixed, xrefs: 00D74C09
Network, xrefs: 00D74C02
Fibre, xrefs: 00D74CAD
Unknown, xrefs: 00D74BED, 00D74C83
iSCSI, xrefs: 00D74CC2
PhysicalDrive, xrefs: 00D74B76
RAID, xrefs: 00D74CBB
SSD, xrefs: 00D74C4A
FileBackedVirtual, xrefs: 00D74CEC
CDROM, xrefs: 00D74BFB
RAMDisk, xrefs: 00D74BF4
SCSI, xrefs: 00D74C8A
ATA, xrefs: 00D74C98
\\.\, xrefs: 00D74B3F
Removable, xrefs: 00D74C10, 00D74C15
Virtual, xrefs: 00D74CE5
ATAPI, xrefs: 00D74C91
SATA, xrefs: 00D74CD0
SAS, xrefs: 00D74CC9
1394, xrefs: 00D74C9F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7200b62fc3f5f601276c82d42c7742c8e6ea5aedd58890485639a52621c37d6a
Instruction ID: 4c40ec75f25bc32b08214c85e7a801d3b573a3eca44c8885f4941ed9114c15c0
Opcode Fuzzy Hash: 7200b62fc3f5f601276c82d42c7742c8e6ea5aedd58890485639a52621c37d6a
Instruction Fuzzy Hash: B76191316052069FCB17DF28CA82E69B7B1EF44304B28C419F84EAB691EB35ED45DB71

Function 00D90241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D902E5
_wcslen.LIBCMT ref: 00D9031F
_wcslen.LIBCMT ref: 00D90389
_wcslen.LIBCMT ref: 00D903F1
_wcslen.LIBCMT ref: 00D90475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D90504

Part of subcall function 00D1F9F2: _wcslen.LIBCMT ref: 00D1F9FD

Part of subcall function 00D6223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D62258
Part of subcall function 00D6223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D6228A

Strings

SELECTCLEAR, xrefs: 00D9052D
GETTEXT, xrefs: 00D903EC, 00D90407
GETSELECTED, xrefs: 00D905E1
VIEWCHANGE, xrefs: 00D90675
SELECTINVERT, xrefs: 00D9057E
ISSELECTED, xrefs: 00D904DD
SELECT, xrefs: 00D90548
FINDITEM, xrefs: 00D90627
DESELECT, xrefs: 00D9059C
SELECTALL, xrefs: 00D90515
GETITEMCOUNT, xrefs: 00D90316, 00D90337
GETSUBITEMCOUNT, xrefs: 00D90384, 00D9039F
@U=u, xrefs: 00D904C5, 00D90504
GETSELECTEDCOUNT, xrefs: 00D90470, 00D9048B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: 009ebb235b9817e10701ed29df163f9ef59fa4654c09c9d54b97bd67e9def928
Instruction ID: 69b41bbec51c04d795f54115bc2d2f91bd3012cdb48ecd63aadbdd122d6265e5
Opcode Fuzzy Hash: 009ebb235b9817e10701ed29df163f9ef59fa4654c09c9d54b97bd67e9def928
Instruction Fuzzy Hash: AAE1BE312082019FCB14EF24D95096EBBE6FF88714B144A5DF8969B3A1DB30ED45CBB1

Function 00D90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D91128
GetDesktopWindow.USER32 ref: 00D9113D
GetWindowRect.USER32(00000000), ref: 00D91144
GetWindowLongW.USER32(?,000000F0), ref: 00D91199
DestroyWindow.USER32(?), ref: 00D911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D9120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D9121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D91232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D91245
IsWindowVisible.USER32(00000000), ref: 00D912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D912D0
GetWindowRect.USER32(00000000,?), ref: 00D912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D9130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D91328
CopyRect.USER32(?,?), ref: 00D9133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D913AA

Strings

(, xrefs: 00D9131B
tooltips_class32, xrefs: 00D911E6
0, xrefs: 00D910D3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ab92f0cd4fd236b289cff3fa3a079a0980a46876d459bf7b8af29cfb6b11b55b
Instruction ID: b1da9fa11ecd51f4cf1fb8c2604ce4e1f9322a8cad970b83dafdfd766d22e18d
Opcode Fuzzy Hash: ab92f0cd4fd236b289cff3fa3a079a0980a46876d459bf7b8af29cfb6b11b55b
Instruction Fuzzy Hash: 6BB17D75608341AFDB14DF64C885B6ABBE4FF88354F04891DF9999B2A1CB31E844CBB1

Function 00D18891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D18968
GetSystemMetrics.USER32(00000007), ref: 00D18970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D1899B
GetSystemMetrics.USER32(00000008), ref: 00D189A3
GetSystemMetrics.USER32(00000004), ref: 00D189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D18A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D18A3C
GetClientRect.USER32(00000000,000000FF), ref: 00D18A5A
GetStockObject.GDI32(00000011), ref: 00D18A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D18A81

Part of subcall function 00D1912D: GetCursorPos.USER32(?), ref: 00D19141
Part of subcall function 00D1912D: ScreenToClient.USER32(00000000,?), ref: 00D1915E
Part of subcall function 00D1912D: GetAsyncKeyState.USER32(00000001), ref: 00D19183
Part of subcall function 00D1912D: GetAsyncKeyState.USER32(00000002), ref: 00D1919D

SetTimer.USER32(00000000,00000000,00000028,00D190FC), ref: 00D18AA8

Strings

AutoIt v3 GUI, xrefs: 00D18A20
@U=u, xrefs: 00D18A81

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: dfc3c972894f141764d6c78e4dbc314d88e1f6ff4f8c6ecee478cd6095351df6
Instruction ID: 7e1ff4c088ea75bcb84a7e8eae5d4f3e6a1d74cca96541a97129e3de0f452cc7
Opcode Fuzzy Hash: dfc3c972894f141764d6c78e4dbc314d88e1f6ff4f8c6ecee478cd6095351df6
Instruction Fuzzy Hash: 5DB14875A00209AFDF14DFA8D855BAA7BB5EB48315F15422AFA15E7290DB30E880CF70

Function 00D65A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D65A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D65A40
SetWindowTextW.USER32(?,?), ref: 00D65A57
GetDlgItem.USER32(?,000003EA), ref: 00D65A6C
SetWindowTextW.USER32(00000000,?), ref: 00D65A72
GetDlgItem.USER32(?,000003E9), ref: 00D65A82
SetWindowTextW.USER32(00000000,?), ref: 00D65A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D65AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D65AC3
GetWindowRect.USER32(?,?), ref: 00D65ACC
_wcslen.LIBCMT ref: 00D65B33
SetWindowTextW.USER32(?,?), ref: 00D65B6F
GetDesktopWindow.USER32 ref: 00D65B75
GetWindowRect.USER32(00000000), ref: 00D65B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D65BD3
GetClientRect.USER32(?,?), ref: 00D65BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D65C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D65C2F

Strings

@U=u, xrefs: 00D65A40

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: 676b770915ace53b27f5bb2d90873eb34f5713f7024fad9368fdbabce3055073
Instruction ID: ca02aec6b75d037ba4910b4ba6571aec07c7e0ce8850df7ec78d347825a608d5
Opcode Fuzzy Hash: 676b770915ace53b27f5bb2d90873eb34f5713f7024fad9368fdbabce3055073
Instruction Fuzzy Hash: 0C717D31900B09AFDB20DFA8DE85B6EBBF5FF48704F144519E182E26A4D775E980CB20

Function 00D9091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D909C6
_wcslen.LIBCMT ref: 00D90A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D90A54
_wcslen.LIBCMT ref: 00D90A8A
_wcslen.LIBCMT ref: 00D90B06
_wcslen.LIBCMT ref: 00D90B81

Part of subcall function 00D1F9F2: _wcslen.LIBCMT ref: 00D1F9FD

Part of subcall function 00D62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D62BFA

Strings

GETTEXT, xrefs: 00D90C97
CHECK, xrefs: 00D90A85, 00D90AA0
GETITEMCOUNT, xrefs: 00D90C1E
GETSELECTED, xrefs: 00D90C4E
GETTOTALCOUNT, xrefs: 00D909F2, 00D90A17
EXISTS, xrefs: 00D90B7C, 00D90B97
COLLAPSE, xrefs: 00D90B01, 00D90B1C
UNCHECK, xrefs: 00D90D3E
EXPAND, xrefs: 00D90BF8
@U=u, xrefs: 00D90A54
SELECT, xrefs: 00D90D11
ISCHECKED, xrefs: 00D90CE1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: 2d4f938ce742b87c1a905fb5c6e3d4a42ee676102d8e01a9b61834bdb41c313d
Instruction ID: b00699143a29fb372a24374ca31f65b37a01d06a9fc333c710fedce1b0db0315
Opcode Fuzzy Hash: 2d4f938ce742b87c1a905fb5c6e3d4a42ee676102d8e01a9b61834bdb41c313d
Instruction Fuzzy Hash: 53E16C312087019FCB14EF24D45096ABBE1FF98318B14895DF89A9B7A2DB31ED45CBB1

Function 00D60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D61114
Part of subcall function 00D610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D61120
Part of subcall function 00D610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D6112F
Part of subcall function 00D610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D61136
Part of subcall function 00D610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D60DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D60E29
GetLengthSid.ADVAPI32(?), ref: 00D60E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D60E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D60E96
GetLengthSid.ADVAPI32(?), ref: 00D60EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D60EB5
HeapAlloc.KERNEL32(00000000), ref: 00D60EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D60EDD
CopySid.ADVAPI32(00000000), ref: 00D60EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D60F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D60F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D60F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D60F6E
HeapFree.KERNEL32(00000000), ref: 00D60F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D60F7E
HeapFree.KERNEL32(00000000), ref: 00D60F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D60F8E
HeapFree.KERNEL32(00000000), ref: 00D60F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D60FA1
HeapFree.KERNEL32(00000000), ref: 00D60FA8

Part of subcall function 00D61193: GetProcessHeap.KERNEL32(00000008,00D60BB1,?,00000000,?,00D60BB1,?), ref: 00D611A1
Part of subcall function 00D61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D60BB1,?), ref: 00D611A8
Part of subcall function 00D61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D60BB1,?), ref: 00D611B7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0a2d2ae014ebbb0c40e984805a0412adb283424be4d461d579cbdf2ca6678294
Instruction ID: 7f282e38746a6a69c153de53c9a39de32a8edf84b60cfb6bdaa4c2cd3508d902
Opcode Fuzzy Hash: 0a2d2ae014ebbb0c40e984805a0412adb283424be4d461d579cbdf2ca6678294
Instruction Fuzzy Hash: 4F714972A0431AABDF219FA4DC49BAFBBB8BF15300F084116F919E7291D7719A05CB70

Function 00D9833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D9835A
_wcslen.LIBCMT ref: 00D9836E
_wcslen.LIBCMT ref: 00D98391
_wcslen.LIBCMT ref: 00D983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D9361A,?), ref: 00D9844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D98487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D98501
FreeLibrary.KERNEL32(?), ref: 00D9850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D9851D
DestroyIcon.USER32(?), ref: 00D9852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D98549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D98555

Strings

.exe, xrefs: 00D98388
@U=u, xrefs: 00D98535
.icl, xrefs: 00D98368
.dll, xrefs: 00D983AB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: a9a83abc3e8d8fcb6aa66f70efb33dd889294904e092d45d443a47255052865e
Instruction ID: 7fca39040f26a9af775454e2ef2815e0f4063b895b1b7a61f1c489d769cab59d
Opcode Fuzzy Hash: a9a83abc3e8d8fcb6aa66f70efb33dd889294904e092d45d443a47255052865e
Instruction Fuzzy Hash: 3561CD71640215BAEF14DF64DC41BBE77A8EF09B21F10460AF815D61D1DB74A980DBB0

Function 00D8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D8C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D9CC08,00000000,?,00000000,?,?), ref: 00D8C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D8C5A4
_wcslen.LIBCMT ref: 00D8C5F4
_wcslen.LIBCMT ref: 00D8C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D8C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D8C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D8C84D
RegCloseKey.ADVAPI32(?), ref: 00D8C881
RegCloseKey.ADVAPI32(00000000), ref: 00D8C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D8C960

Strings

REG_EXPAND_SZ, xrefs: 00D8C5CD
REG_QWORD, xrefs: 00D8C8C3
REG_DWORD, xrefs: 00D8C804
REG_MULTI_SZ, xrefs: 00D8C6F5
REG_BINARY, xrefs: 00D8C913
REG_SZ, xrefs: 00D8C644

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: afe47efdc7a57b154b8043c8f6bdc86b626f4cd370bea3ec0dde8ecf68f1c61c
Instruction ID: 3e64c22f523531cfd54c41a664928eef0cf0d32f845fcce131f9d8c042828928
Opcode Fuzzy Hash: afe47efdc7a57b154b8043c8f6bdc86b626f4cd370bea3ec0dde8ecf68f1c61c
Instruction Fuzzy Hash: 511248756142019FD714EF14C895B2AB7E5EF88714F08889DF88A9B3A2DB31FD41CBA1

Function 00D8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D8B6AE,?,?), ref: 00D8C9B5
_wcslen.LIBCMT ref: 00D8C9F1
_wcslen.LIBCMT ref: 00D8CA68
_wcslen.LIBCMT ref: 00D8CA9E
_wcslen.LIBCMT ref: 00D8CAF9
_wcslen.LIBCMT ref: 00D8CB2F
_wcslen.LIBCMT ref: 00D8CB7F

Strings

HKCC, xrefs: 00D8CBAC
HKLM, xrefs: 00D8CA98, 00D8CA9D
HKU, xrefs: 00D8CBF0
HKEY_CURRENT_USER, xrefs: 00D8CBBD
HKEY_CLASSES_ROOT, xrefs: 00D8CAF3, 00D8CAF8
HKCU, xrefs: 00D8CBCE
HKEY_CURRENT_CONFIG, xrefs: 00D8CB79, 00D8CB7E
HKEY_USERS, xrefs: 00D8CBDF
HKCR, xrefs: 00D8CB29, 00D8CB2E
HKEY_LOCAL_MACHINE, xrefs: 00D8CA62, 00D8CA67

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c0603cda2e88fc582847ee96350d4f1ee2061786cb964e668de56796a7e02d72
Instruction ID: 46cf4906a5bc9b53b12f2272e6946c9e24d7d175e1dc1db28503ddfc58ace895
Opcode Fuzzy Hash: c0603cda2e88fc582847ee96350d4f1ee2061786cb964e668de56796a7e02d72
Instruction Fuzzy Hash: 3E71F63262052ACBCB20FF7CD941ABF3395EB60754B191129FC6697284E631DD8487B0

Function 00D07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00D07873, 00D078C5
#pragma compile, xrefs: 00D077D3
", xrefs: 00D45153
#notrayicon, xrefs: 00D077E7
', xrefs: 00D45169
#ce, xrefs: 00D078ED
Unterminated group of comments, xrefs: 00D4528C
#comments-end, xrefs: 00D078D9
Cannot parse #include, xrefs: 00D45279
#include-once, xrefs: 00D0782F
#comments-start, xrefs: 00D0785F, 00D078B1
Bad directive syntax error, xrefs: 00D4519A
#OnAutoItStartRegister, xrefs: 00D07817
#requireadmin, xrefs: 00D077FF
#include, xrefs: 00D07847

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f4914666b64f608b0daa6f79fa1a0b3d894c63e83c26877199532b23fe46907e
Instruction ID: f18439dda939dd83dd4daab17df004495a35a63c61bbafa2881840613e14e0c6
Opcode Fuzzy Hash: f4914666b64f608b0daa6f79fa1a0b3d894c63e83c26877199532b23fe46907e
Instruction Fuzzy Hash: 8181E271A44205BBDB20AF60EC42FEE77A8EF55340F084025F909AB1D6EB71E955C7B1

Function 00D9856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D98592
GetFileSize.KERNEL32(00000000,00000000), ref: 00D985A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D985AD
CloseHandle.KERNEL32(00000000), ref: 00D985BA
GlobalLock.KERNEL32(00000000), ref: 00D985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D985D7
GlobalUnlock.KERNEL32(00000000), ref: 00D985E0
CloseHandle.KERNEL32(00000000), ref: 00D985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D985F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D9FC38,?), ref: 00D98611
GlobalFree.KERNEL32(00000000), ref: 00D98621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D98641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D98671
DeleteObject.GDI32(00000000), ref: 00D98699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D986AF

Strings

@U=u, xrefs: 00D986AF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 221c6b25e548f7a8b01fbed292561ca8737f3c85af7ad0c675e3e564648c43bb
Instruction ID: 8e3f810b4d14b39f591a232b0babdcc34146b076096c877dda81dfa3f7e55c5b
Opcode Fuzzy Hash: 221c6b25e548f7a8b01fbed292561ca8737f3c85af7ad0c675e3e564648c43bb
Instruction Fuzzy Hash: 2E411975610304AFDB119FA5DD48EAA7BB8EF89B11F144059F90AEB260DB309901DB74

Function 00D200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D200C6

Part of subcall function 00D200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00DD070C,00000FA0,17C96CDA,?,?,?,?,00D423B3,000000FF), ref: 00D2011C
Part of subcall function 00D200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00D423B3,000000FF), ref: 00D20127
Part of subcall function 00D200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00D423B3,000000FF), ref: 00D20138
Part of subcall function 00D200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D2014E
Part of subcall function 00D200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D2015C
Part of subcall function 00D200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D2016A
Part of subcall function 00D200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D20195
Part of subcall function 00D200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D201A0

___scrt_fastfail.LIBCMT ref: 00D200E7

Part of subcall function 00D200A3: __onexit.LIBCMT ref: 00D200A9

Strings

InitializeConditionVariable, xrefs: 00D20148
SleepConditionVariableCS, xrefs: 00D20154
kernel32.dll, xrefs: 00D20133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D20122
WakeAllConditionVariable, xrefs: 00D20162

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c21bedcf6d93031e7c9464a58d9cc6ad74fd137027adf3bb5921ece59d0dc9aa
Instruction ID: 7c70e02eeb6a38d09811b82c218a4bfd13b7893e5ab50ab38705ac0d19c3bfda
Opcode Fuzzy Hash: c21bedcf6d93031e7c9464a58d9cc6ad74fd137027adf3bb5921ece59d0dc9aa
Instruction Fuzzy Hash: 4321F632A457217FEB115BB4BC06B6A7BA4DB55B65F14012BF901E6392DF6098008AB4

Function 00D630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D6318D
_wcslen.LIBCMT ref: 00D631F8

Strings

CLASSNN, xrefs: 00D631F3, 00D63204
REGEXPCLASS, xrefs: 00D63255, 00D63266
TEXT, xrefs: 00D6347C
CLASS, xrefs: 00D63188, 00D631A5
INSTANCE, xrefs: 00D63453
NAME, xrefs: 00D63335, 00D63346

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 127aaafc840d3065dd31c34bb76fdce320cdc82aee80911282fc1fa0bee9f67c
Instruction ID: 2a518b5977b5c10d8fcfc2b8e788b649ee975a16cfcfa40e945e6f39e2f87f0c
Opcode Fuzzy Hash: 127aaafc840d3065dd31c34bb76fdce320cdc82aee80911282fc1fa0bee9f67c
Instruction Fuzzy Hash: 7EE19631A00626ABCB18DF68D451BEEFBB5FF54714F588119E456B7240DF30AE858BB0

Function 00D744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D9CC08), ref: 00D74527
_wcslen.LIBCMT ref: 00D7453B
_wcslen.LIBCMT ref: 00D74599
_wcslen.LIBCMT ref: 00D745F4
_wcslen.LIBCMT ref: 00D7463F
_wcslen.LIBCMT ref: 00D746A7

Part of subcall function 00D1F9F2: _wcslen.LIBCMT ref: 00D1F9FD

GetDriveTypeW.KERNEL32(?,00DC6BF0,00000061), ref: 00D74743

Strings

fixed, xrefs: 00D74635, 00D7463A
unknown, xrefs: 00D74708
cdrom, xrefs: 00D7458F, 00D74594
all, xrefs: 00D74531, 00D74536
ramdisk, xrefs: 00D746F1
network, xrefs: 00D7469D, 00D746A2
removable, xrefs: 00D745EA, 00D745EF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f0e8836bec54b926547c198cc4cadd8a2ef2b31ec45fb40959d63405af4750bb
Instruction ID: afb43090a3bf49d6806e022c8e22fc89ba0ba594dec5cd48acf026987ff7b55b
Opcode Fuzzy Hash: f0e8836bec54b926547c198cc4cadd8a2ef2b31ec45fb40959d63405af4750bb
Instruction Fuzzy Hash: C1B1DF716083029FC715DF28C890AAEB7E5EFA5724F548A1DF49AC7291E730D844CBB2

Function 00D96CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D96DEB

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D96E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D96E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D96E94
DestroyWindow.USER32(?), ref: 00D96EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D00000,00000000), ref: 00D96EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D96EFD
GetDesktopWindow.USER32 ref: 00D96F16
GetWindowRect.USER32(00000000), ref: 00D96F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D96F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D96F4D

Part of subcall function 00D19944: GetWindowLongW.USER32(?,000000EB), ref: 00D19952

Strings

tooltips_class32, xrefs: 00D96E58, 00D96EDD
0, xrefs: 00D96D98
@U=u, xrefs: 00D96E81, 00D96E94, 00D96EFD, 00D96F27

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: 16959a136f83fd7684c6edb51b1048312b8dbff80dcbfcc0273090534b0f7e77
Instruction ID: d572adc9d8c9ff122aa1d7986ed5d3a39daf647ce99cc10c11157ac4f6d61b7f
Opcode Fuzzy Hash: 16959a136f83fd7684c6edb51b1048312b8dbff80dcbfcc0273090534b0f7e77
Instruction Fuzzy Hash: B0713474108345AFDB21CF58D854FBABBE9EB89304F48441EF999872A1D770E906CB21

Function 00D9911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

DragQueryPoint.SHELL32(?,?), ref: 00D99147

Part of subcall function 00D97674: ClientToScreen.USER32(?,?), ref: 00D9769A
Part of subcall function 00D97674: GetWindowRect.USER32(?,?), ref: 00D97710
Part of subcall function 00D97674: PtInRect.USER32(?,?,00D98B89), ref: 00D97720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D99225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D9923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D99255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D99277
DragFinish.SHELL32(?), ref: 00D9927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D99371

Strings

@GUI_DRAGFILE, xrefs: 00D99320
@GUI_DRAGID, xrefs: 00D992E9
@U=u, xrefs: 00D991B0, 00D99225, 00D9923E, 00D99255, 00D99277
@GUI_DROPID, xrefs: 00D9929E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-762882726
Opcode ID: 5795bcb9254da6b308f4bef98331ffab0e6f73457f7576c76800ba3ff33a295c
Instruction ID: 4ed2c2687d010bfda4f8da896cd2275e727611c60b8a51c6190603184739e317
Opcode Fuzzy Hash: 5795bcb9254da6b308f4bef98331ffab0e6f73457f7576c76800ba3ff33a295c
Instruction Fuzzy Hash: C8614871108301AFD701DF64DC95EABBBE8EF89750F400A1EF595932A1DB70AA49CB72

Function 00D8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D8B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D8B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D8B1D4
_wcslen.LIBCMT ref: 00D8B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D8B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D8B236
_wcslen.LIBCMT ref: 00D8B332

Part of subcall function 00D705A7: GetStdHandle.KERNEL32(000000F6), ref: 00D705C6

_wcslen.LIBCMT ref: 00D8B34B
_wcslen.LIBCMT ref: 00D8B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D8B3B6
GetLastError.KERNEL32(00000000), ref: 00D8B407
CloseHandle.KERNEL32(?), ref: 00D8B439
CloseHandle.KERNEL32(00000000), ref: 00D8B44A
CloseHandle.KERNEL32(00000000), ref: 00D8B45C
CloseHandle.KERNEL32(00000000), ref: 00D8B46E
CloseHandle.KERNEL32(?), ref: 00D8B4E3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f7e1493a2c1058bc7b35ea1f7f510ae3fe7ee413fc9599916a6577449a8e37b0
Instruction ID: ce6265f9abc9b0b87f58256f05a0395f250e7bfbb3cca59afc1985f895aa8fc3
Opcode Fuzzy Hash: f7e1493a2c1058bc7b35ea1f7f510ae3fe7ee413fc9599916a6577449a8e37b0
Instruction Fuzzy Hash: 95F16A715083009FC714EF24C895B6ABBE5EF85324F18855EF8999B2A2DB31EC45CB72

Function 00D0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00DD1990), ref: 00D42F8D
GetMenuItemCount.USER32(00DD1990), ref: 00D4303D
GetCursorPos.USER32(?), ref: 00D43081
SetForegroundWindow.USER32(00000000), ref: 00D4308A
TrackPopupMenuEx.USER32(00DD1990,00000000,?,00000000,00000000,00000000), ref: 00D4309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D430A9

Strings

0, xrefs: 00D0327D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2114aa7f5b05081b9414b467148ac818ce6d6decebf25763ffcc06159f1dc4d7
Instruction ID: c745c6bb83aecff532b02fa9c851041544b7091c1f80da0416060e93f51aff2b
Opcode Fuzzy Hash: 2114aa7f5b05081b9414b467148ac818ce6d6decebf25763ffcc06159f1dc4d7
Instruction Fuzzy Hash: BA711931644205BFEB218F69CC49FAABF68FF05364F244216F518AA2E1C7B1AD54DB70

Function 00D7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D7C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D7C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D7C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D7C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D7C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D7C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D7C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D7C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D7C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D7C5F0
InternetCloseHandle.WININET(00000000), ref: 00D7C5FB

Strings

, xrefs: 00D7C575

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 5c86cf535500d1dba9043d83f8c2f18d20a3d4091381b026534856f0094e3b7c
Instruction ID: c341deb7b2cf2aea120a418b04ce816c4be4d2b78058355dec6bf88a6d1d6aab
Opcode Fuzzy Hash: 5c86cf535500d1dba9043d83f8c2f18d20a3d4091381b026534856f0094e3b7c
Instruction Fuzzy Hash: 93514CB1510708BFDB218FA0C988AAB7BBCFF08754F04A51EF949D6210EB35E9449B70

Function 00D714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D71502
VariantCopy.OLEAUT32(?,?), ref: 00D7150B
VariantClear.OLEAUT32(?), ref: 00D71517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D71657
VariantInit.OLEAUT32(?), ref: 00D71708
SysFreeString.OLEAUT32(?), ref: 00D7178C
VariantClear.OLEAUT32(?), ref: 00D717D8
VariantClear.OLEAUT32(?), ref: 00D717E7
VariantInit.OLEAUT32(00000000), ref: 00D71823

Strings

Default, xrefs: 00D716AF
%4d%02d%02d%02d%02d%02d, xrefs: 00D71625

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ea8586dd54c4745569a6e90f667b6c74814c187da9911c0ee4d10b4b717fe715
Instruction ID: 4cd396e977e351d41f82ee1d3ef00c31339de0d6d0f7bd5ccce9aa891c88216b
Opcode Fuzzy Hash: ea8586dd54c4745569a6e90f667b6c74814c187da9911c0ee4d10b4b717fe715
Instruction Fuzzy Hash: 77D1EE75A00205EBDB189F69E885BB9B7B5FF44700F14C65AF44AAB280EB30EC45DB71

Function 00D8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D8B6AE,?,?), ref: 00D8C9B5
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8C9F1
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8CA68
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D8B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D8B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D8B80A
RegCloseKey.ADVAPI32(?), ref: 00D8B87E
RegCloseKey.ADVAPI32(?), ref: 00D8B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D8B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D8B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D8B922
FreeLibrary.KERNEL32(00000000), ref: 00D8B983
RegCloseKey.ADVAPI32(00000000), ref: 00D8B994

Strings

RegDeleteKeyExW, xrefs: 00D8B8FE
advapi32.dll, xrefs: 00D8B8ED

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ee702c577461cdd4a2236e083c5e8536205dac271a04599169a8c30fc20ee191
Instruction ID: 2bdc63c5948ba5c06bef6b75a83b5bca25323c4d7c8c4b763ccb232c087c1726
Opcode Fuzzy Hash: ee702c577461cdd4a2236e083c5e8536205dac271a04599169a8c30fc20ee191
Instruction Fuzzy Hash: 7CC15A30208301AFD714EF14C495F2ABBE5FF84318F58959DE59A8B2A2CB71E945CBA1

Function 00D9541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D95504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D95515
CharNextW.USER32(00000158), ref: 00D95544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D95585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D9559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D955AC

Strings

@U=u, xrefs: 00D95504, 00D95515, 00D9554A, 00D955C9, 00D9562B, 00D95816

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: 6d90f0ee6341d58a908d08f0780d81c1c75ea8ffa77c2d12e6b51b93577cbd54
Instruction ID: 43d02954ec57a5c8f1cb71088df4914abf749d995af79592acef6c18d2bb3fae
Opcode Fuzzy Hash: 6d90f0ee6341d58a908d08f0780d81c1c75ea8ffa77c2d12e6b51b93577cbd54
Instruction Fuzzy Hash: E961B035900608FFDF128F94EC849FE3BB9EB0A720F144165F965A62A5D7709A80DF70

Function 00D8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D825E8
CreateCompatibleDC.GDI32(?), ref: 00D825F4
SelectObject.GDI32(00000000,?), ref: 00D82601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D8266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D826D0
SelectObject.GDI32(?,?), ref: 00D826D8
DeleteObject.GDI32(?), ref: 00D826E1
DeleteDC.GDI32(?), ref: 00D826E8
ReleaseDC.USER32(00000000,?), ref: 00D826F3

Strings

(, xrefs: 00D8268D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 542fb85dc0f93f318ccdefeb11858d5de6338f9a2dc37efe741e1df08d38ffd6
Instruction ID: 4c4cea26ff07274d267e0faf22eb08bd5b48f5bf273979dc20ada8656a171d1a
Opcode Fuzzy Hash: 542fb85dc0f93f318ccdefeb11858d5de6338f9a2dc37efe741e1df08d38ffd6
Instruction Fuzzy Hash: 9961D275D00219EFCF04DFA4D885AAEBBB5FF48310F20852AE955A7350E770A941CFA4

Function 00D6E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D6E6B4

Part of subcall function 00D1E551: timeGetTime.WINMM(?,?,00D6E6D4), ref: 00D1E555

Sleep.KERNEL32(0000000A), ref: 00D6E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D6E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D6E727
SetActiveWindow.USER32 ref: 00D6E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D6E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D6E773
Sleep.KERNEL32(000000FA), ref: 00D6E77E
IsWindow.USER32 ref: 00D6E78A
EndDialog.USER32(00000000), ref: 00D6E79B

Strings

BUTTON, xrefs: 00D6E719
@U=u, xrefs: 00D6E754, 00D6E773

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: e77c65d308b0f0b932508866776eda33718e2b24ab6b94a2bf51700e65385d4f
Instruction ID: e786ad896cc0d1e99cd671fb31b100602a9036e2adc9ff01e88cc8d9cad69581
Opcode Fuzzy Hash: e77c65d308b0f0b932508866776eda33718e2b24ab6b94a2bf51700e65385d4f
Instruction Fuzzy Hash: AE218CB9251305BFEB015FA5EC8AB363B69FB64748B142826F801C23B1DB71EC049B34

Function 00D3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D3DAA1

Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D659
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D66B
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D67D
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D68F
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D6A1
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D6B3
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D6C5
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D6D7
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D6E9
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D6FB
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D70D
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D71F
Part of subcall function 00D3D63C: _free.LIBCMT ref: 00D3D731

_free.LIBCMT ref: 00D3DA96

Part of subcall function 00D329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000), ref: 00D329DE
Part of subcall function 00D329C8: GetLastError.KERNEL32(00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000,00000000), ref: 00D329F0

_free.LIBCMT ref: 00D3DAB8
_free.LIBCMT ref: 00D3DACD
_free.LIBCMT ref: 00D3DAD8
_free.LIBCMT ref: 00D3DAFA
_free.LIBCMT ref: 00D3DB0D
_free.LIBCMT ref: 00D3DB1B
_free.LIBCMT ref: 00D3DB26
_free.LIBCMT ref: 00D3DB5E
_free.LIBCMT ref: 00D3DB65
_free.LIBCMT ref: 00D3DB82
_free.LIBCMT ref: 00D3DB9A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c815a24eb8f76b2d8f7ec9828915c367e609aa14949c52ade6171208fde9fe95
Instruction ID: bfb94040879e0d34ba6de570d3f9498f78a9bb34f441f4a1bd805fda0bbf6d93
Opcode Fuzzy Hash: c815a24eb8f76b2d8f7ec9828915c367e609aa14949c52ade6171208fde9fe95
Instruction Fuzzy Hash: AE313971A447059FEB22AA39F845B6AB7EAFF10310F294469F459D7191DF31AC808F30

Function 00D6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D6369C
_wcslen.LIBCMT ref: 00D636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D63797
GetClassNameW.USER32(?,?,00000400), ref: 00D6380C
GetDlgCtrlID.USER32(?), ref: 00D6385D
GetWindowRect.USER32(?,?), ref: 00D63882
GetParent.USER32(?), ref: 00D638A0
ScreenToClient.USER32(00000000), ref: 00D638A7
GetClassNameW.USER32(?,?,00000100), ref: 00D63921
GetWindowTextW.USER32(?,?,00000400), ref: 00D6395D

Strings

%s%u, xrefs: 00D63734

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 390ea8b47833391bf825179179681686325ee69c16e3d5bc52ee2856fea48704
Instruction ID: 1c66082ac43c0bd6d411e1ce3c32c39424e9d5c3431625cfaafc9efd9d791dd9
Opcode Fuzzy Hash: 390ea8b47833391bf825179179681686325ee69c16e3d5bc52ee2856fea48704
Instruction Fuzzy Hash: 5A91AD71204706AFD719DF64C885BAAB7A8FF44350F04862AF99AC2190DB30EA55CFB1

Function 00D64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D64994
GetWindowTextW.USER32(?,?,00000400), ref: 00D649DA
_wcslen.LIBCMT ref: 00D649EB
CharUpperBuffW.USER32(?,00000000), ref: 00D649F7
_wcsstr.LIBVCRUNTIME ref: 00D64A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D64A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D64A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D64AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D64B20
GetWindowRect.USER32(?,?), ref: 00D64B8B

Strings

ThumbnailClass, xrefs: 00D64A6F, 00D64AF1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 05329012589c2b4c812ba8dd3155a8be42befe8dd8d18ab02f4b342dbafff123
Instruction ID: 0aadc708f5c4ed88b928866a82e76aea527cbb4ac3eea029a5799ac8874e80d6
Opcode Fuzzy Hash: 05329012589c2b4c812ba8dd3155a8be42befe8dd8d18ab02f4b342dbafff123
Instruction Fuzzy Hash: 4691AB71104305AFDB04DF14D981BAAB7E8FF84714F08846AFD899A196DB30ED45CBB1

Function 00D98D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D98D5A
GetFocus.USER32 ref: 00D98D6A
GetDlgCtrlID.USER32(00000000), ref: 00D98D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00D98E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D98ECF
GetMenuItemCount.USER32(?), ref: 00D98EEC
GetMenuItemID.USER32(?,00000000), ref: 00D98EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D98F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D98F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D98FA1

Strings

0, xrefs: 00D98E9F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 49cbc3069e8c7dfb199e734838ac216a2a19615fd82499cb1047c8a37668b8e1
Instruction ID: 3fc3324eff78b0b5c3fbf97c0bff6934ae88ae5555d235d28bc84748311e0176
Opcode Fuzzy Hash: 49cbc3069e8c7dfb199e734838ac216a2a19615fd82499cb1047c8a37668b8e1
Instruction Fuzzy Hash: DF817D71508301AFDB10CF24D884AABB7E9FF8AB54F18051AF995D7291DB71D900EBB1

Function 00D8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D8CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D8CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D8CD48

Part of subcall function 00D8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D8CCAA
Part of subcall function 00D8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D8CCBD
Part of subcall function 00D8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D8CCCF
Part of subcall function 00D8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D8CD05
Part of subcall function 00D8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D8CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D8CCF3

Strings

RegDeleteKeyExW, xrefs: 00D8CCC9
advapi32.dll, xrefs: 00D8CCB8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0c5786997beb4970e5187ce07333fb8a2201c197475794871d0db7fd4ccc786e
Instruction ID: 572a890d9137022de46a7df59182e1876e9478e7f2c2ef9e926f8ebc392e81e8
Opcode Fuzzy Hash: 0c5786997beb4970e5187ce07333fb8a2201c197475794871d0db7fd4ccc786e
Instruction Fuzzy Hash: AF318C71911229FBDB20ABA5DC88EFFBB7CEF05740F041166A906E3240DA309A45DBB0

Function 00D6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D6EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D6EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D6EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D6EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D6EAA7

Strings

status PlayMe mode, xrefs: 00D6EA58
alias PlayMe, xrefs: 00D6EA36
play PlayMe, xrefs: 00D6EAA2
play PlayMe wait, xrefs: 00D6EA91
close PlayMe, xrefs: 00D6EA6E, 00D6EA9B
open , xrefs: 00D6EA0C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c022b6ceb613c9fbc08b3fc68ffc926d14f552df83f186f9ecbd65ca7c30d41a
Instruction ID: c8348534b141714043b078513670290c1ba07b3b7c61b62fe5bda68ca80f80a4
Opcode Fuzzy Hash: c022b6ceb613c9fbc08b3fc68ffc926d14f552df83f186f9ecbd65ca7c30d41a
Instruction Fuzzy Hash: E3115175A5025A7ED720A7A6DD4AFFF6B7CEFD1B00F440429B405A30D1EE708909C9B0

Function 00D65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D65CE2
GetWindowRect.USER32(00000000,?), ref: 00D65CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D65D59
GetDlgItem.USER32(?,00000002), ref: 00D65D69
GetWindowRect.USER32(00000000,?), ref: 00D65D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D65DCF
GetDlgItem.USER32(?,000003E9), ref: 00D65DDD
GetWindowRect.USER32(00000000,?), ref: 00D65DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D65E31
GetDlgItem.USER32(?,000003EA), ref: 00D65E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D65E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D65E67

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 05116387288c80aea2158c3c6e2b475830b30c324a1505f2a237e86cf81c879b
Instruction ID: cf015999f2e2ac86b96d04f426db038507e8ffefea52e377fb8c171cd5e26698
Opcode Fuzzy Hash: 05116387288c80aea2158c3c6e2b475830b30c324a1505f2a237e86cf81c879b
Instruction Fuzzy Hash: A2510C71A10705AFDF18CFA8DD89AAEBBB5EB48300F548129F515E6294D7709E44CB60

Function 00D18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D18BE8,?,00000000,?,?,?,?,00D18BBA,00000000,?), ref: 00D18FC5

DestroyWindow.USER32(?), ref: 00D18C81
KillTimer.USER32(00000000,?,?,?,?,00D18BBA,00000000,?), ref: 00D18D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00D56973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00D18BBA,00000000,?), ref: 00D569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00D18BBA,00000000,?), ref: 00D569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D18BBA,00000000), ref: 00D569D4
DeleteObject.GDI32(00000000), ref: 00D569E6

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d1b76d8e71553347aca1eaea25182d5e14e9f39b2679a87bfd0465770951a7aa
Instruction ID: 8b64903902aacea01ad8a27efbe454052f4fbd05b7f2b89dc59fac6a002b463a
Opcode Fuzzy Hash: d1b76d8e71553347aca1eaea25182d5e14e9f39b2679a87bfd0465770951a7aa
Instruction Fuzzy Hash: 9F617834502700EFCB21DF14E958BA5B7B2FB44312F58451AE8829BA60CB31E9C4EFB0

Function 00D19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00D19944: GetWindowLongW.USER32(?,000000EB), ref: 00D19952

GetSysColor.USER32(0000000F), ref: 00D19862

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b5660069b5369841378fb3d59a29821614cfe7bb12aa3f41351c6e238733bfda
Instruction ID: 521a101ed6d081fa239959dc9ef5734c3c3b0f38e8031f6b7f83767128202499
Opcode Fuzzy Hash: b5660069b5369841378fb3d59a29821614cfe7bb12aa3f41351c6e238733bfda
Instruction Fuzzy Hash: 87417131104740AFDB205F38ACA4BF97B65FB06721F285616F9A2972E1DB319C82DB31

Function 00D950D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D95186
ShowWindow.USER32(?,00000000), ref: 00D951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D951D1

Part of subcall function 00D96FBA: DeleteObject.GDI32(00000000), ref: 00D96FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D9520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D9521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D9524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D95287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D95296

Strings

@U=u, xrefs: 00D95186

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: dbe7708b7ccffd6a06a27d7213f46a6720dcae8496567a537ee29eabb74382cb
Instruction ID: 35219f6a7da64518f396d5681ecd341e25b4d9312e98dd89492191800978c719
Opcode Fuzzy Hash: dbe7708b7ccffd6a06a27d7213f46a6720dcae8496567a537ee29eabb74382cb
Instruction Fuzzy Hash: 6351B230A50B08BFEF229F64EC45BD83B65FB05321F184122F619E62E4C775A980DB74

Function 00D18B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D56890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D18874,00000000,00000000,00000000,000000FF,00000000), ref: 00D56901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D5691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D18874,00000000,00000000,00000000,000000FF,00000000), ref: 00D5692D

Strings

@U=u, xrefs: 00D568F2, 00D5691E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: b95ff3a2f7b0120df71579841444bbf9ee9c8f56a0897eb62e3f645d0e026a8c
Instruction ID: b3e1da039202a8319f7fe56731e71c80e4cc8cd8ae2a00086867fce9da97b504
Opcode Fuzzy Hash: b95ff3a2f7b0120df71579841444bbf9ee9c8f56a0897eb62e3f645d0e026a8c
Instruction Fuzzy Hash: 205175B0A00309BFDB20CF24DC91BAA7BB5EB58761F144519F956D72A0DB70E990EB60

Function 00D696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00D4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D69717
LoadStringW.USER32(00000000,?,00D4F7F8,00000001), ref: 00D69720

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00D4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D69742
LoadStringW.USER32(00000000,?,00D4F7F8,00000001), ref: 00D69745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D69866

Strings

^ ERROR, xrefs: 00D697FB
Error: , xrefs: 00D6981D
Line %d:, xrefs: 00D697A0
Line %d (File "%s"):, xrefs: 00D6978F
%s (%d) : ==> %s: %s %s, xrefs: 00D6984A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 29df12aa57fdda69d1573e96a9a4d2daeb70c877efbe5951320b9b152d149350
Instruction ID: 1577b08b15de686b86c2782ef2262d78aa3fc3a9455762c41e73eb318dd305aa
Opcode Fuzzy Hash: 29df12aa57fdda69d1573e96a9a4d2daeb70c877efbe5951320b9b152d149350
Instruction Fuzzy Hash: 26412C72804209ABCB04EBE4DE96EEEB77CEF14340F500065F609B2192EA356F48CB71

Function 00D606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D60804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D6082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D60837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D6083C

Strings

SOFTWARE\Classes\, xrefs: 00D6070E
\IPC$, xrefs: 00D60784
\CLSID, xrefs: 00D60724

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: cec8bd12722ca585b76c40a5fcc16d2e95018df2b05cc59d49bc3375c42fe341
Instruction ID: 10332d6f1ea0028e64ec95b7d3c1fb5c69912b269ae86ee0fc219795fe028f32
Opcode Fuzzy Hash: cec8bd12722ca585b76c40a5fcc16d2e95018df2b05cc59d49bc3375c42fe341
Instruction Fuzzy Hash: 7341D971910229ABDB15EB94DC95DEEB778FF14350F444169E905A32A1EB309E44CFB0

Function 00D77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D77AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D77B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D77BA3
CoCreateInstance.OLE32(00D9FD08,00000000,00000001,00DC6E6C,?), ref: 00D77BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D77C74
CoTaskMemFree.OLE32(?,?), ref: 00D77CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D77D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D77D7A
CoTaskMemFree.OLE32(00000000), ref: 00D77D81
CoTaskMemFree.OLE32(00000000), ref: 00D77DD6
CoUninitialize.OLE32 ref: 00D77DDC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c1ea9885b56c89620bb6d66aebefd16a77c19e28d93463ca8c0d44f1486f06d0
Instruction ID: 21bcf48b03fc192a0d36bdcf2c3243f0a7648ef5dc8e1bcc053c0421d3040248
Opcode Fuzzy Hash: c1ea9885b56c89620bb6d66aebefd16a77c19e28d93463ca8c0d44f1486f06d0
Instruction Fuzzy Hash: 5CC10B75A04209AFDB14DFA4C888DAEBBF9FF48314B148499E819DB361D730ED45CBA0

Function 00D5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D5FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00D5FB08
VariantInit.OLEAUT32(?), ref: 00D5FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D5FB3A
VariantCopy.OLEAUT32(?,?), ref: 00D5FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D5FBA1
VariantClear.OLEAUT32(?), ref: 00D5FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00D5FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D5FBCC
VariantClear.OLEAUT32(?), ref: 00D5FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D5FBE9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1422ed413f8eabaf61b0442cdbdbe0f3cdde2c6c22ec729d30bf2eed6e0f3ebd
Instruction ID: 19fcef06e4a357adf687b927ac6a16414bcf9721babab2556c9fe085be432fb0
Opcode Fuzzy Hash: 1422ed413f8eabaf61b0442cdbdbe0f3cdde2c6c22ec729d30bf2eed6e0f3ebd
Instruction Fuzzy Hash: 4F413E75A10219DFCF00DFA8D8549AEBBB9EF48345F008069ED55EB261DB30A945CFB1

Function 00D8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D805BC
inet_addr.WSOCK32(?), ref: 00D8061C
gethostbyname.WSOCK32(?), ref: 00D80628
IcmpCreateFile.IPHLPAPI ref: 00D80636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D807B9
WSACleanup.WSOCK32 ref: 00D807BF

Strings

Ping, xrefs: 00D80676

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7ebc4fa168643326048acf60f87bc69007d6674016da521822dc892b0cb1001e
Instruction ID: 3eba0d3fc32cf807e64ce40f103ae0384917190f4a243f0319c722c73f630fe7
Opcode Fuzzy Hash: 7ebc4fa168643326048acf60f87bc69007d6674016da521822dc892b0cb1001e
Instruction Fuzzy Hash: CF918D756083419FD360EF15D889F1ABBE0EF44318F1885A9E4699B7A2C730ED49CFA1

Function 00D88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D88CF3

Part of subcall function 00D68E54: _wcslen.LIBCMT ref: 00D68E77

_wcslen.LIBCMT ref: 00D88D4E
_wcslen.LIBCMT ref: 00D88D9C
_wcslen.LIBCMT ref: 00D88DDC
_wcslen.LIBCMT ref: 00D88E6E

Strings

none, xrefs: 00D88E65, 00D88E6A
stdcall, xrefs: 00D88DD6, 00D88DDB
cdecl, xrefs: 00D88D48, 00D88D4D
winapi, xrefs: 00D88D96, 00D88D9B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c9ed1ceedea842f2012e562c5679c90f85a6b628ddb8583d163bf300869156b1
Instruction ID: 0751e874154f45c4c19627aea2efc018432411f6fed647559739974b4841d09c
Opcode Fuzzy Hash: c9ed1ceedea842f2012e562c5679c90f85a6b628ddb8583d163bf300869156b1
Instruction Fuzzy Hash: 3451AE31A001169BCB14EF6CC9509BEB3A5EF64324BA54229F866E72C5DB31DD40EBB0

Function 00D8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D83774
CoUninitialize.OLE32 ref: 00D8377F
CoCreateInstance.OLE32(?,00000000,00000017,00D9FB78,?), ref: 00D837D9
IIDFromString.OLE32(?,?), ref: 00D8384C
VariantInit.OLEAUT32(?), ref: 00D838E4
VariantClear.OLEAUT32(?), ref: 00D83936

Strings

Failed to create object, xrefs: 00D837E4, 00D8389A
Invalid parameter, xrefs: 00D83865
NULL Pointer assignment, xrefs: 00D8381E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 691250c9c20004b06a85e7477203dd2a828942fe8e68909a657a0d74ad7322b7
Instruction ID: 94ced06a9592b97257a4efde30416af845973a7f3f2ff55e914c8ad438bc3af4
Opcode Fuzzy Hash: 691250c9c20004b06a85e7477203dd2a828942fe8e68909a657a0d74ad7322b7
Instruction Fuzzy Hash: 3F619170608301AFD710EF54C849F5ABBE8EF44B14F144909F5899B291D770EE48CBB2

Function 00D05BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D05C7A

Part of subcall function 00D05D0A: GetClientRect.USER32(?,?), ref: 00D05D30
Part of subcall function 00D05D0A: GetWindowRect.USER32(?,?), ref: 00D05D71
Part of subcall function 00D05D0A: ScreenToClient.USER32(?,?), ref: 00D05D99

GetDC.USER32 ref: 00D446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D44708
SelectObject.GDI32(00000000,00000000), ref: 00D44716
SelectObject.GDI32(00000000,00000000), ref: 00D4472B
ReleaseDC.USER32(?,00000000), ref: 00D44733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D447C4

Strings

U, xrefs: 00D44693
@U=u, xrefs: 00D44708

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 367e38cd535adcfaa7b7c4f2378b4ed42e2aef5b4f02224485fdb09173a2a3cc
Instruction ID: 5b39c961233457d46d2acf299f87255a19b2e740dda5425ea5051b71bf524795
Opcode Fuzzy Hash: 367e38cd535adcfaa7b7c4f2378b4ed42e2aef5b4f02224485fdb09173a2a3cc
Instruction Fuzzy Hash: 3371B035400205DFDF218F64C984BFA7BB5FF46360F18426AED555A2AAC7319882DFB0

Function 00D98B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

Part of subcall function 00D1912D: GetCursorPos.USER32(?), ref: 00D19141
Part of subcall function 00D1912D: ScreenToClient.USER32(00000000,?), ref: 00D1915E
Part of subcall function 00D1912D: GetAsyncKeyState.USER32(00000001), ref: 00D19183
Part of subcall function 00D1912D: GetAsyncKeyState.USER32(00000002), ref: 00D1919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00D98B6B
ImageList_EndDrag.COMCTL32 ref: 00D98B71
ReleaseCapture.USER32 ref: 00D98B77
SetWindowTextW.USER32(?,00000000), ref: 00D98C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D98C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00D98CFF

Strings

@GUI_DRAGFILE, xrefs: 00D98C9A
@U=u, xrefs: 00D98C25
@GUI_DROPID, xrefs: 00D98C51

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 62b77c20208f76a888484acdb02e3396dd3af12d4e730a8c39c12b159919fab7
Instruction ID: 7c1cf7cf2043d2a540fb6b814afd03058185d10457edeb848813cb10c4d9db34
Opcode Fuzzy Hash: 62b77c20208f76a888484acdb02e3396dd3af12d4e730a8c39c12b159919fab7
Instruction Fuzzy Hash: AD516A75605300AFDB00DF14D8A6FAA77E4FB89714F40062EF996A72E2CB709944CB72

Function 00D73388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D733CF

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D733F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00D73522
"%s" (%d) : ==> %s:%s%s, xrefs: 00D73504
Incorrect parameters to object property !, xrefs: 00D734AB
^ ERROR , xrefs: 00D7349E
Error: , xrefs: 00D734D1
Line %d (File "%s"):, xrefs: 00D73443, 00D7345C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7c856b67e6ba998733f08f96b8b66fffadfb6de5b7b545394807f9d92019a39f
Instruction ID: 32e13008a03189cd78d8b809424b5b3b830c154c622288a4fabb57771306e1d7
Opcode Fuzzy Hash: 7c856b67e6ba998733f08f96b8b66fffadfb6de5b7b545394807f9d92019a39f
Instruction Fuzzy Hash: A2516D7190020AAADF15EBA0DD52EEEB778EF04340F148165F509B2192EB316F58DB70

Function 00D6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D6B5FC
_wcslen.LIBCMT ref: 00D6B608
_wcslen.LIBCMT ref: 00D6B64D
_wcslen.LIBCMT ref: 00D6B68C
_wcslen.LIBCMT ref: 00D6B6C7

Strings

KEYS, xrefs: 00D6B647, 00D6B64C
EXISTS, xrefs: 00D6B686, 00D6B68B
REMOVE, xrefs: 00D6B602, 00D6B607
APPEND, xrefs: 00D6B6C1, 00D6B6C6

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: c3e0522647cec0f0a400171f73470969449930a982be4c21fd530c0089c48faa
Instruction ID: 976cd721c2f4fe55abc9c4aac2921f8c3a718438382d5d0bf463fdc405a70515
Opcode Fuzzy Hash: c3e0522647cec0f0a400171f73470969449930a982be4c21fd530c0089c48faa
Instruction Fuzzy Hash: E241A432A001279BCB205FBDC9905BE7BA5AB60774B29452BE565DB284E731CDC1C7B0

Function 00D75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D75416
GetLastError.KERNEL32 ref: 00D75420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D754A7

Strings

INVALID, xrefs: 00D75459
READY, xrefs: 00D75460, 00D75468
READONLY, xrefs: 00D75452
UNKNOWN, xrefs: 00D75444
NOTREADY, xrefs: 00D7544B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fec52ab25c83790a181dbe921b9bde8330f6c5f19615dd73daca32de0de471dc
Instruction ID: 075da48ef9c68c48632f20c9a206fedb79bb03db91e3daffaaa10bd1beab7360
Opcode Fuzzy Hash: fec52ab25c83790a181dbe921b9bde8330f6c5f19615dd73daca32de0de471dc
Instruction Fuzzy Hash: 12318035A006059FD710DF68D484BA977A4EB05309F18C059E40ADB396EBB1DD82CBB2

Function 00D92D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D92D1B
GetDC.USER32(00000000), ref: 00D92D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D92D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D92D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D92D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D92D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D92DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D92DE1

Strings

@U=u, xrefs: 00D92D87, 00D92DE1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: c3df36c3f7adee7ad69dea83805c9d1658995bfcfeb2cfda26f0a94b06b6fba4
Instruction ID: a697de6f54446475b336779e4fa9cd5604b086fa83694f1a3d4c9839bad9f48d
Opcode Fuzzy Hash: c3df36c3f7adee7ad69dea83805c9d1658995bfcfeb2cfda26f0a94b06b6fba4
Instruction Fuzzy Hash: AA316B72211214BBEF118F508C8AFFB3BA9EB09715F084056FE08DA2A1D6759C50CBB4

Function 00D6209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D6214D

Strings

largeicons, xrefs: 00D620E1
SHELLDLL_DefView, xrefs: 00D620CC
smallicons, xrefs: 00D62115
@U=u, xrefs: 00D6214D
details, xrefs: 00D620FB
list, xrefs: 00D6212F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: 99103591d7816447dec551407e40ded21cd248b3a6bddbe13bbbeb598de423ca
Instruction ID: b7486047e0e73b076d717e04c6febe3da3889ca462419aa4a292318f9b4aeb42
Opcode Fuzzy Hash: 99103591d7816447dec551407e40ded21cd248b3a6bddbe13bbbeb598de423ca
Instruction Fuzzy Hash: F71106766CCB17BBF6116220FC07EB6779CCB26328B20001AFB04A90E5EE65AC465634

Function 00D93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D93A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D93AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D93AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D93AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D93B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D93BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D93BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D93BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D93BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D93C13

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e6e0ae14d89793e751e0f41115dfe49c1b72a3d78eef4f7bb851c1b0ab1e7c98
Instruction ID: 200fa45aef2e451089da927946fd1800b0c3065f81808b4df5fa995064a3befa
Opcode Fuzzy Hash: e6e0ae14d89793e751e0f41115dfe49c1b72a3d78eef4f7bb851c1b0ab1e7c98
Instruction Fuzzy Hash: 4F615C75900248AFDB10DFA8CC81EEE77B8EB09704F14415AFA15E72A1D770AA45DB60

Function 00D6B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D6B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B165
GetWindowThreadProcessId.USER32(00000000), ref: 00D6B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D6B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D6A1E1,?,00000001), ref: 00D6B21D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f937869fea9149f519ef268e533237e739c61f86ed46200224bc139de53c2a81
Instruction ID: 76eb2f9fda0f8504094be09cfd0c692503d1e51d88366f28a582b6603b09c18e
Opcode Fuzzy Hash: f937869fea9149f519ef268e533237e739c61f86ed46200224bc139de53c2a81
Instruction Fuzzy Hash: F9319C71650304BFDB209F64DC58B7E7BA9BB55321F149017FA01D72A0D7B89A808F79

Function 00D32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D32C94

Part of subcall function 00D329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000), ref: 00D329DE
Part of subcall function 00D329C8: GetLastError.KERNEL32(00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000,00000000), ref: 00D329F0

_free.LIBCMT ref: 00D32CA0
_free.LIBCMT ref: 00D32CAB
_free.LIBCMT ref: 00D32CB6
_free.LIBCMT ref: 00D32CC1
_free.LIBCMT ref: 00D32CCC
_free.LIBCMT ref: 00D32CD7
_free.LIBCMT ref: 00D32CE2
_free.LIBCMT ref: 00D32CED
_free.LIBCMT ref: 00D32CFB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 13b285a0de3f57f01766fc3e02b8792d7e1f1aecad21d671015650766ba35ffe
Instruction ID: f289049e22976786b0a201894860112d07d5ab7299138958ef878c3759b4b0f8
Opcode Fuzzy Hash: 13b285a0de3f57f01766fc3e02b8792d7e1f1aecad21d671015650766ba35ffe
Instruction Fuzzy Hash: EA119376940118AFCB02EF54E882DED7BA5FF05350F4144A5FA489B222DB31EA509FB0

Function 00D01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D01459
OleUninitialize.OLE32(?,00000000), ref: 00D014F8
UnregisterHotKey.USER32(?), ref: 00D016DD
DestroyWindow.USER32(?), ref: 00D424B9
FreeLibrary.KERNEL32(?), ref: 00D4251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D4254B

Strings

close all, xrefs: 00D01454

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bbcc2073ba9f9802c275861681d3ccb96e788a76ab243d8e6697ccd403822e30
Instruction ID: 2d01c39ffb7b4fc2c3d062554a933fd79dd75a6d50ace355ac1efabc3e88f1cf
Opcode Fuzzy Hash: bbcc2073ba9f9802c275861681d3ccb96e788a76ab243d8e6697ccd403822e30
Instruction Fuzzy Hash: 1FD138356012129FCB19EF15D899B69F7A0FF05700F5942ADE44AAB2A2DB31ED12CF70

Function 00D7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D735E4

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

LoadStringW.USER32(00DD2390,?,00000FFF,?), ref: 00D7360A

Strings

^ ERROR, xrefs: 00D736C9
"%s" (%d) : ==> %s:, xrefs: 00D73742
"%s" (%d) : ==> %s:%s%s, xrefs: 00D73724
Error: , xrefs: 00D736EF
Line %d (File "%s"):, xrefs: 00D7366B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 4073df36258275667474fa534a8c58f283bbb17e454d42866ffbe7a8c47af786
Instruction ID: 7ee90c2a08092c265e1fffdb0b36eb24b174fc772c05218e6d3c2f244b7f1f99
Opcode Fuzzy Hash: 4073df36258275667474fa534a8c58f283bbb17e454d42866ffbe7a8c47af786
Instruction Fuzzy Hash: 47514F7190020ABBDF15EBA4DC52EEEBB79EF04300F544125F509721A2EB316A99DF71

Function 00D93886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D93925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D9393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D93954
_wcslen.LIBCMT ref: 00D93999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D939F4

Strings

SysListView32, xrefs: 00D938F7
@U=u, xrefs: 00D93925, 00D9393A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: 8089e285b524eee561eaae53c7731a0bbf3e4cccfb62fe8f58a27819cb8d6643
Instruction ID: b60e768fe3bdeed18ae2a612ef8241fa4c97f1d48a026d9a8e5d75189212f306
Opcode Fuzzy Hash: 8089e285b524eee561eaae53c7731a0bbf3e4cccfb62fe8f58a27819cb8d6643
Instruction Fuzzy Hash: CC418171A00319BBEF219F64CC45BEA7BA9EF08354F14052AF958E7291D771D984CBB0

Function 00D92DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D92E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00D92E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D92E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D92EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D92EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00D92EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D92F0B

Strings

@U=u, xrefs: 00D92E1C, 00D92EB6, 00D92EE0

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: be13745a9841d1701c70ba8105bd2a3c9f76fd3b80e1d74978408367652d6b41
Instruction ID: f965846c447974e0d807ae86183285a7c02c5d47687e9f01f88700cc71a1b69b
Opcode Fuzzy Hash: be13745a9841d1701c70ba8105bd2a3c9f76fd3b80e1d74978408367652d6b41
Instruction Fuzzy Hash: 0F31FD39605254AFEF21CF58DCD4FA537E1EB8A720F1911A6F914CB2B2CB71A840DB61

Function 00D7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D7C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D7C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D7C2CA
GetLastError.KERNEL32 ref: 00D7C322
SetEvent.KERNEL32(?), ref: 00D7C336
InternetCloseHandle.WININET(00000000), ref: 00D7C341

Strings

, xrefs: 00D7C2BB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 313582bdea65e60969741e0788ef3c2509ca505ae2ca751a1334f20d3b719eb2
Instruction ID: 9fd988e8a3d960224f2b795edec607bcdc5f7142d2297abee9248301446fd0e6
Opcode Fuzzy Hash: 313582bdea65e60969741e0788ef3c2509ca505ae2ca751a1334f20d3b719eb2
Instruction Fuzzy Hash: F7317FB1520708AFD7219FA48C88AAB7BFCEB49744B14E51EF48AD2211EB34DD049B70

Function 00D6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D43AAF,?,?,Bad directive syntax error,00D9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D698BC
LoadStringW.USER32(00000000,?,00D43AAF,?), ref: 00D698C3

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D69987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00D698F1
Line %d:, xrefs: 00D69912
Line %d (File "%s"):, xrefs: 00D6992D
., xrefs: 00D6996D
Error: , xrefs: 00D69955

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b485a65c72f4148d3af063134a2412c0a66b510e8a24a9c4d613379a385d15ca
Instruction ID: e2944179a32ae8ba61b88c355984ccc8e3bc168dd22a54284191e0125de0f9d0
Opcode Fuzzy Hash: b485a65c72f4148d3af063134a2412c0a66b510e8a24a9c4d613379a385d15ca
Instruction Fuzzy Hash: A5217C3281421AABCF15AF90CC56FEEB739FF18300F04546AF519620A2EB31A658DB30

Function 00D3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00D3CEB7
_free.LIBCMT ref: 00D3CF22
_free.LIBCMT ref: 00D3CF48
_free.LIBCMT ref: 00D3CF71
_free.LIBCMT ref: 00D3CFA9
_free.LIBCMT ref: 00D3CFDA
_free.LIBCMT ref: 00D3D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00D3D09C
_free.LIBCMT ref: 00D3D0B5

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 83dbd65661a52b81688bcd4b1c501bc469f4df7b455594e44774989747608c7c
Instruction ID: bb66fa603f745c1b66300c443487c57ecf47f52a037209a9e7a2cfd5d149e208
Opcode Fuzzy Hash: 83dbd65661a52b81688bcd4b1c501bc469f4df7b455594e44774989747608c7c
Instruction Fuzzy Hash: 0A610671906311AFDB25AFB4A881B797BA6EF05364F18416EF944F7281D7329D01CBB0

Function 00D7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D7C182
GetLastError.KERNEL32 ref: 00D7C195
SetEvent.KERNEL32(?), ref: 00D7C1A9

Part of subcall function 00D7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D7C272
Part of subcall function 00D7C253: GetLastError.KERNEL32 ref: 00D7C322
Part of subcall function 00D7C253: SetEvent.KERNEL32(?), ref: 00D7C336
Part of subcall function 00D7C253: InternetCloseHandle.WININET(00000000), ref: 00D7C341

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f5eaf8c06857dbcf451bdd3b675729893b96ab9c8f688f9c87a176ada4b7e7b3
Instruction ID: 500bde60609aa094d28f8b657f29a7ef0ca8a4aa968c699c31761b78f3a99c83
Opcode Fuzzy Hash: f5eaf8c06857dbcf451bdd3b675729893b96ab9c8f688f9c87a176ada4b7e7b3
Instruction Fuzzy Hash: 9731BC71221701AFDB219FE5DC04A66BBF8FF18300B44A42EF95AC6621E730E810DBB0

Function 00D625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D63A57
Part of subcall function 00D63A3D: GetCurrentThreadId.KERNEL32 ref: 00D63A5E
Part of subcall function 00D63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D625B3), ref: 00D63A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D62601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D62605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D6260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D62623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D62627

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0dbaa5424df5c1434cde83ed4cb080c38d3eb90800550e9d81325323746e6cdd
Instruction ID: 44737c249b4b58104fac23985b2abbb1d988c4cc16612ec52238bb7aa887b308
Opcode Fuzzy Hash: 0dbaa5424df5c1434cde83ed4cb080c38d3eb90800550e9d81325323746e6cdd
Instruction Fuzzy Hash: EB01B1303A0710BBFB2067699C8AF593E59DF5AB52F101012F358EF1E1C9E26444DA7A

Function 00D61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D61449,?,?,00000000), ref: 00D6180C
HeapAlloc.KERNEL32(00000000,?,00D61449,?,?,00000000), ref: 00D61813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D61449,?,?,00000000), ref: 00D61828
GetCurrentProcess.KERNEL32(?,00000000,?,00D61449,?,?,00000000), ref: 00D61830
DuplicateHandle.KERNEL32(00000000,?,00D61449,?,?,00000000), ref: 00D61833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D61449,?,?,00000000), ref: 00D61843
GetCurrentProcess.KERNEL32(00D61449,00000000,?,00D61449,?,?,00000000), ref: 00D6184B
DuplicateHandle.KERNEL32(00000000,?,00D61449,?,?,00000000), ref: 00D6184E
CreateThread.KERNEL32(00000000,00000000,00D61874,00000000,00000000,00000000), ref: 00D61868

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: fa2a281e134a9b5ee127105817633925b45cbf8a6bfb5c4d9db1e8e24c8f4784
Instruction ID: f48380f8d9ac44cc7118c90a0cf4735e6bdd1273f4d86a152fe6d7b3ec046a2b
Opcode Fuzzy Hash: fa2a281e134a9b5ee127105817633925b45cbf8a6bfb5c4d9db1e8e24c8f4784
Instruction Fuzzy Hash: 5101BBB5250308BFE710ABA5DD4EF6B3BACEB89B11F405412FA05DB2A1CA709800CB34

Function 00D8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D6D501
Part of subcall function 00D6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D6D50F
Part of subcall function 00D6D4DC: CloseHandle.KERNEL32(00000000), ref: 00D6D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D8A16D
GetLastError.KERNEL32 ref: 00D8A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D8A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D8A268
GetLastError.KERNEL32(00000000), ref: 00D8A273
CloseHandle.KERNEL32(00000000), ref: 00D8A2C4

Strings

SeDebugPrivilege, xrefs: 00D8A18F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7582f4eab5c41873ef8e6ceecc7a5142ebc807752e785ff2bb203891e1a095bb
Instruction ID: 9d47b6e07630d039509c009058a265faa61b1d3ca39e73c3f535e492419a91a7
Opcode Fuzzy Hash: 7582f4eab5c41873ef8e6ceecc7a5142ebc807752e785ff2bb203891e1a095bb
Instruction Fuzzy Hash: E4616F702052429FE720EF18C494F19BBE1AF44318F18949DE46A8B7A3C776ED45CBB6

Function 00D6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D6BCFD
IsMenu.USER32(00000000), ref: 00D6BD1D
CreatePopupMenu.USER32 ref: 00D6BD53
GetMenuItemCount.USER32(013C5CD8), ref: 00D6BDA4
InsertMenuItemW.USER32(013C5CD8,?,00000001,00000030), ref: 00D6BDCC

Strings

2, xrefs: 00D6BD37
0, xrefs: 00D6BCA8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 21db008df9e7cc36bf49bc5c1ce924f36f39c0db1acb566dc28a34ce62cc9012
Instruction ID: 800e678403a7b76f7ee6e27042f3f22d381e7aaeadfa2417b265a8f48900c090
Opcode Fuzzy Hash: 21db008df9e7cc36bf49bc5c1ce924f36f39c0db1acb566dc28a34ce62cc9012
Instruction Fuzzy Hash: D5517F70A003059BDB20DFA8D884BAEBBF8EF55364F18425BE452DB291E7709985CF71

Function 00D981DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D5F3AB,00000000,?,?,00000000,?,00D5682C,00000004,00000000,00000000), ref: 00D9824C
EnableWindow.USER32(00000000,00000000), ref: 00D98272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D982D1
ShowWindow.USER32(00000000,00000004), ref: 00D982E5
EnableWindow.USER32(00000000,00000001), ref: 00D9830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D9832F

Strings

@U=u, xrefs: 00D9832F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: f868167996ecee8317e9ee4f97d6067144a3f4bf873076127ffb7ca5e8d542fb
Instruction ID: 4ab6d8616fa3dd775de7b34470d26dcf918f47c8693a1c203cf1d7e4d934030a
Opcode Fuzzy Hash: f868167996ecee8317e9ee4f97d6067144a3f4bf873076127ffb7ca5e8d542fb
Instruction Fuzzy Hash: B5416034602744AFDF25CF15C899BA47BE1FB0BB15F1851AAE5188B2A2CB31A841DF74

Function 00D64C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D64C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D64CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D64CEA
_wcslen.LIBCMT ref: 00D64D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D64D10
_wcsstr.LIBVCRUNTIME ref: 00D64D1A

Strings

@U=u, xrefs: 00D64CB2, 00D64CEA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: bf2d188d01f6369cacdc4cf7aee008cd7a94b85a6d10d0a5ab63eb5570fb2213
Instruction ID: a8bbcef515dbc90a70a7aaff1339590fcfb8e3ef0569ea30e17dbafe076e85da
Opcode Fuzzy Hash: bf2d188d01f6369cacdc4cf7aee008cd7a94b85a6d10d0a5ab63eb5570fb2213
Instruction Fuzzy Hash: 7921D872604210BBEB255B79EC49E7F7BACDF55750F14803AF805CA2A1EE61DC4196B0

Function 00D6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D6C913

Strings

warning, xrefs: 00D6C8FC
info, xrefs: 00D6C8B4
blank, xrefs: 00D6C895
stop, xrefs: 00D6C8E4
question, xrefs: 00D6C8CC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 99384899cb78bd216e3fc183d552b9f1d29e80ebe9aeefa0314400c3e25c340b
Instruction ID: d0b6d8b41a1227ccef61dc7703c0771acabe77fe43b2c777c5542757fdd992d6
Opcode Fuzzy Hash: 99384899cb78bd216e3fc183d552b9f1d29e80ebe9aeefa0314400c3e25c340b
Instruction Fuzzy Hash: AE11EB316D9307BFA7059B54AC82DBA679CDF15359B20142FF944E72C2D770DD005674

Function 00D57439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00D57452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00D57469
GetWindowDC.USER32(?), ref: 00D57475
GetPixel.GDI32(00000000,?,?), ref: 00D57484
ReleaseDC.USER32(?,00000000), ref: 00D57496
GetSysColor.USER32(00000005), ref: 00D574B0

Strings

@U=u, xrefs: 00D57469

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: 21d6e95ebd0a393e796c7ea82c11953fdcde73df621aa45542d3494a538c4962
Instruction ID: 4c8d81a219babcf68a305995f4cf8aa1acd07e036f0542f40a6d286abaa593d9
Opcode Fuzzy Hash: 21d6e95ebd0a393e796c7ea82c11953fdcde73df621aa45542d3494a538c4962
Instruction Fuzzy Hash: A7017831410205EFDB505FA4EC08BAA7BB5FB04312F651061FD16E22B0CB311E41AB70

Function 00D6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D6ED2A
_wcslen.LIBCMT ref: 00D6ED3B
_wcslen.LIBCMT ref: 00D6ED79
_wcslen.LIBCMT ref: 00D6EDAF
_wcslen.LIBCMT ref: 00D6EDDF
_wcslen.LIBCMT ref: 00D6EDEF
_wcslen.LIBCMT ref: 00D6EE2B
_wcslen.LIBCMT ref: 00D6EE5A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 05092213279e46d9c44d2bd1c7a79bd8cba0164e67b95b464fcaec1049b6405d
Instruction ID: 0ef1deb4c2dfef32b749bdea4953ae620609a08d7e2e77fea2dc3002672ebef2
Opcode Fuzzy Hash: 05092213279e46d9c44d2bd1c7a79bd8cba0164e67b95b464fcaec1049b6405d
Instruction Fuzzy Hash: D041B365C10228B6CB11EBF4988A9CFB7A8EF55310F508466F528E3122FB34E245C7B9

Function 00D1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D5682C,00000004,00000000,00000000), ref: 00D1F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D5682C,00000004,00000000,00000000), ref: 00D5F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D5682C,00000004,00000000,00000000), ref: 00D5F454

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0bf2c9c602e0212760c469480264adec917f9529e8ef91546e9e2344fb9366d9
Instruction ID: 817f5c6e66eb6015c9e718efe19d0dcf9ad220e57505d47caeaafd5ef92c445f
Opcode Fuzzy Hash: 0bf2c9c602e0212760c469480264adec917f9529e8ef91546e9e2344fb9366d9
Instruction Fuzzy Hash: F0414031608740BBDB34AB29E9887AE7B91AB55321F5C443DE8C796661CE31D8C5CF30

Function 00D65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D65637
_memcmp.LIBVCRUNTIME ref: 00D65659
_memcmp.LIBVCRUNTIME ref: 00D65671
_memcmp.LIBVCRUNTIME ref: 00D65684
_memcmp.LIBVCRUNTIME ref: 00D6569E
_memcmp.LIBVCRUNTIME ref: 00D656B1
_memcmp.LIBVCRUNTIME ref: 00D656C9
_memcmp.LIBVCRUNTIME ref: 00D656E4

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 67c9b4cded19ccc7b490ea995541e6209f1e3e109302a961a811872445e0016f
Instruction ID: e1960955a9375d6e54afeedb141627cec5af556185415c40e1fb4e48d9d332b8
Opcode Fuzzy Hash: 67c9b4cded19ccc7b490ea995541e6209f1e3e109302a961a811872445e0016f
Instruction Fuzzy Hash: 3F21C675644A197BD7149660FE82FFA335DEF31398F488020FD05AA689F720EDA4C2B5

Function 00D84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00D85007
NULL Pointer assignment, xrefs: 00D8502E, 00D85383

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4c52013b1afb4444416808035248440ef52db060b2a032be752bfd878f6e5357
Instruction ID: 7a3dfbed1830154ad317262e4c109283b8c95a2a21d0e8f8e2bff0033332a558
Opcode Fuzzy Hash: 4c52013b1afb4444416808035248440ef52db060b2a032be752bfd878f6e5357
Instruction Fuzzy Hash: 4ED1AF75A0060AAFDF10DF98D884BAEB7B5FF48344F188069E915AB284E771DD45CBB0

Function 00D41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00D417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00D415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D41651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00D417FB,?,00D417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D416FB

Part of subcall function 00D33820: RtlAllocateHeap.NTDLL(00000000,?,00DD1444,?,00D1FDF5,?,?,00D0A976,00000010,00DD1440,00D013FC,?,00D013C6,?,00D01129), ref: 00D33852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00D417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D41777
__freea.LIBCMT ref: 00D417A2
__freea.LIBCMT ref: 00D417AE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a964c5b8989fb826437401dce8f82569101f3679c220301f87752c5eb896665a
Instruction ID: 744f5a23b1afdc5d411d4bb548144984a58b63d9c125c7ccbc9ec3b8541ee623
Opcode Fuzzy Hash: a964c5b8989fb826437401dce8f82569101f3679c220301f87752c5eb896665a
Instruction Fuzzy Hash: 4591A279E102169BDF208F64C881AEE7BB5EF49350F1C4659E805E7281E735DC84CB70

Function 00D84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D84648
VariantInit.OLEAUT32(?), ref: 00D84749
VariantClear.OLEAUT32(?), ref: 00D84753
VariantClear.OLEAUT32(?), ref: 00D847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D8472C
Null Object assignment in FOR..IN loop, xrefs: 00D845D8, 00D84706, 00D847BE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 38b634d98dd76c5ee7d81263ed9d9f16d51baa04bb29c72f5701f57b63ac435e
Instruction ID: 5d4e4fef25f52cf8c16a03ec669b59b9b002aa061a49882ab2a55d89e6830af8
Opcode Fuzzy Hash: 38b634d98dd76c5ee7d81263ed9d9f16d51baa04bb29c72f5701f57b63ac435e
Instruction Fuzzy Hash: 8D916A71A0021AABDF20DFA5CC85FAEBBB8EF46714F148559F505AB280E7709945CBB0

Function 00D71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D7125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D71284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D7135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D71430

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: ba3be00c074adeeca29a561901407aacf406b73bcd951ab992f05b7a27f355f5
Instruction ID: bdc3405798272db50848b5d5cf4114721aeb55f126cfc5e2d9ba2696d8961aca
Opcode Fuzzy Hash: ba3be00c074adeeca29a561901407aacf406b73bcd951ab992f05b7a27f355f5
Instruction Fuzzy Hash: B9911679A00218AFDB00DF98D885BBE77B5FF45314F148129E948EB292E774E945CBB0

Function 00D1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 27e54eebe02356bae7f3777df981b7b5d683c50dd7dda4c1bc77a93c0ca31ed7
Instruction ID: 3cf4757854c800528d3c16066311a3afa2f8a2f7739d35eea621d807b53b9ca4
Opcode Fuzzy Hash: 27e54eebe02356bae7f3777df981b7b5d683c50dd7dda4c1bc77a93c0ca31ed7
Instruction Fuzzy Hash: 7B913671D00219EFDB10CFA9D894AEEBBB9FF49320F248055E915B7251D774AA82CB70

Function 00D83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D8396B
CharUpperBuffW.USER32(?,?), ref: 00D83A7A
_wcslen.LIBCMT ref: 00D83A8A
VariantClear.OLEAUT32(?), ref: 00D83C1F

Part of subcall function 00D70CDF: VariantInit.OLEAUT32(00000000), ref: 00D70D1F
Part of subcall function 00D70CDF: VariantCopy.OLEAUT32(?,?), ref: 00D70D28
Part of subcall function 00D70CDF: VariantClear.OLEAUT32(?), ref: 00D70D34

Strings

AUTOIT.ERROR, xrefs: 00D83A80, 00D83A85
Incorrect Parameter format, xrefs: 00D839A6, 00D83BA1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 19d9fea1fc133dd0924071720c286e2f4893b949a9554f91933b25b633b67012
Instruction ID: e4cb9438300ebd3d92a0e67fa94db58b8772731d5d93190a3ac210e38c7b05b0
Opcode Fuzzy Hash: 19d9fea1fc133dd0924071720c286e2f4893b949a9554f91933b25b633b67012
Instruction Fuzzy Hash: F59159756083459FC704EF28C49096AB7E5FF88714F14892DF88A9B391DB31EE45CBA2

Function 00D84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?,?,00D6035E), ref: 00D6002B
Part of subcall function 00D6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?), ref: 00D60046
Part of subcall function 00D6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?), ref: 00D60054
Part of subcall function 00D6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?), ref: 00D60064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D84C51
_wcslen.LIBCMT ref: 00D84D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D84DCF
CoTaskMemFree.OLE32(?), ref: 00D84DDA

Strings

NULL Pointer assignment, xrefs: 00D84E23, 00D84E52

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4d4c02682f8960a3b4c2c90fc4ceccfcc987b359f87df6217a80aa1ebbd17aab
Instruction ID: d052e411868a94a9f746b9b43ad14bbc369f4ae333ca79e4a416d74d5a8f44f3
Opcode Fuzzy Hash: 4d4c02682f8960a3b4c2c90fc4ceccfcc987b359f87df6217a80aa1ebbd17aab
Instruction Fuzzy Hash: 45910971D00219AFDF15EFA4D891AEEB7B8FF08314F108169E519A7291DB309A44CF70

Function 00D920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D92183
GetMenuItemCount.USER32(00000000), ref: 00D921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D921DD
_wcslen.LIBCMT ref: 00D92213
GetMenuItemID.USER32(?,?), ref: 00D9224D
GetSubMenu.USER32(?,?), ref: 00D9225B

Part of subcall function 00D63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D63A57
Part of subcall function 00D63A3D: GetCurrentThreadId.KERNEL32 ref: 00D63A5E
Part of subcall function 00D63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D625B3), ref: 00D63A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D922E3

Part of subcall function 00D6E97B: Sleep.KERNEL32 ref: 00D6E9F3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3a450aedf1bd192f7cd79f965d28d1b5b3e61121a8ca17ec48ce8b26a0357350
Instruction ID: 3661ac5b1e4062ce3081cd6751411d58519a518933e3bc92a838d555be37d227
Opcode Fuzzy Hash: 3a450aedf1bd192f7cd79f965d28d1b5b3e61121a8ca17ec48ce8b26a0357350
Instruction Fuzzy Hash: CB714C75A00215AFCF14EFA4D845ABEB7F5EF88310F148459E856EB351DB34E9418BB0

Function 00D6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D6AEF9
GetKeyboardState.USER32(?), ref: 00D6AF0E
SetKeyboardState.USER32(?), ref: 00D6AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D6AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D6AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D6AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D6B020

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 325861153bcff7a7ace31f6d96e013a8d82adbb8af2f84d562668e4e55539198
Instruction ID: 7e84387328dc668f568e13ac68a2e1d12d17949327daa046b93f8409bc02f44d
Opcode Fuzzy Hash: 325861153bcff7a7ace31f6d96e013a8d82adbb8af2f84d562668e4e55539198
Instruction Fuzzy Hash: 9751C3A0A147D53EFB3682388845BBA7EE95F06314F0C848AF1D5954D3C3A9ACC4D772

Function 00D6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D6AD19
GetKeyboardState.USER32(?), ref: 00D6AD2E
SetKeyboardState.USER32(?), ref: 00D6AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D6ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D6ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D6AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D6AE38

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 64e0cfa4677c33d47e518f422742651054798e70317ce8847a76d74307c53b20
Instruction ID: 8f264d43ffb42af3f46511de85c3c823a0c5ce92900840130b689fd0f74fb420
Opcode Fuzzy Hash: 64e0cfa4677c33d47e518f422742651054798e70317ce8847a76d74307c53b20
Instruction Fuzzy Hash: F851D8A16047D53EFB3683388C95B7A7EE85B46300F0C8489F1D5A68C3D295EC84DB72

Function 00D3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00D43CD6,?,?,?,?,?,?,?,?,00D35BA3,?,?,00D43CD6,?,?), ref: 00D35470
__fassign.LIBCMT ref: 00D354EB
__fassign.LIBCMT ref: 00D35506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00D43CD6,00000005,00000000,00000000), ref: 00D3552C
WriteFile.KERNEL32(?,00D43CD6,00000000,00D35BA3,00000000,?,?,?,?,?,?,?,?,?,00D35BA3,?), ref: 00D3554B
WriteFile.KERNEL32(?,?,00000001,00D35BA3,00000000,?,?,?,?,?,?,?,?,?,00D35BA3,?), ref: 00D35584

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ad7e184d9b0438a6d7d0133a4cf6515136709a4b4f183c54df321a2218a540ff
Instruction ID: 2c380d270aba8834144981f0451b14cad700c2b9d4c6cf6bb4e10607dfc0c6bb
Opcode Fuzzy Hash: ad7e184d9b0438a6d7d0133a4cf6515136709a4b4f183c54df321a2218a540ff
Instruction Fuzzy Hash: 7C519071A00749AFDB10CFA8E845AEEBBF9EF09300F14456AE955E7295D730AA41CB70

Function 00D96B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D96C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D96C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D96C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D7AB79,00000000,00000000), ref: 00D96C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D96CC7

Strings

@U=u, xrefs: 00D96C73

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 85ad93c30bcef4f71fdf42d9005db5e553a0eb0155ee28866dc09b4e5015b53a
Instruction ID: 0542c7f8c6996405cb191f6d6410511005ac946fa78024f0f7305b0d3906506d
Opcode Fuzzy Hash: 85ad93c30bcef4f71fdf42d9005db5e553a0eb0155ee28866dc09b4e5015b53a
Instruction Fuzzy Hash: A6417C35A04204AFDF249F68CD58FA97FA5EB09350F190269F899A72A0D271ED41CB60

Function 00D22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D22D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00D22D53
_ValidateLocalCookies.LIBCMT ref: 00D22DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00D22E0C
_ValidateLocalCookies.LIBCMT ref: 00D22E61

Strings

csm, xrefs: 00D22DF6

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a3f59a6d24ff2c991e4f2d20c2845c38c2efa8966344ab6fca28ab29b50ea063
Instruction ID: 5169560925c3f80aa71c0ffbed286a0f185281f0f065c6c5abe9eac8ba80e517
Opcode Fuzzy Hash: a3f59a6d24ff2c991e4f2d20c2845c38c2efa8966344ab6fca28ab29b50ea063
Instruction Fuzzy Hash: 1841B134A00229ABCF10DF68E845AAEBBA5FF55328F188155F814AB352D7359A05CBF0

Function 00D810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D8307A
Part of subcall function 00D8304E: _wcslen.LIBCMT ref: 00D8309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D81112
WSAGetLastError.WSOCK32 ref: 00D81121
WSAGetLastError.WSOCK32 ref: 00D811C9
closesocket.WSOCK32(00000000), ref: 00D811F9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 11d3523221c411dd5b5b91999e76e497e5583afc987b0f32e566d16d65163ce9
Instruction ID: a6da17a08cfd6be3641d0d416dd12ef92936c69a8e1277fa781d092e2be047d0
Opcode Fuzzy Hash: 11d3523221c411dd5b5b91999e76e497e5583afc987b0f32e566d16d65163ce9
Instruction Fuzzy Hash: F841D235600304AFDB10AF54C888BAABBE9EF45364F188159F959DB291C770ED46CBB1

Function 00D6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D6CF22,?), ref: 00D6DDFD

Part of subcall function 00D6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D6CF22,?), ref: 00D6DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D6CF45
MoveFileW.KERNEL32(?,?), ref: 00D6CF7F
_wcslen.LIBCMT ref: 00D6D005
_wcslen.LIBCMT ref: 00D6D01B
SHFileOperationW.SHELL32(?), ref: 00D6D061

Strings

\*.*, xrefs: 00D6CFF3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d2eadb145d584c5e3931f339612d40f181ed12f550906db799b18cf1c9303531
Instruction ID: d298355ca2122055c1a8d5bb98a299cc34fd9e9066e5e02e9cd26bc7c2736991
Opcode Fuzzy Hash: d2eadb145d584c5e3931f339612d40f181ed12f550906db799b18cf1c9303531
Instruction Fuzzy Hash: 71415771D462189FDF12EFA4D981AEDB7B9EF58380F0400E6E545EB141EA34A684CB70

Function 00D67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D67769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D6778F
SysAllocString.OLEAUT32(00000000), ref: 00D67792
SysAllocString.OLEAUT32(?), ref: 00D677B0
SysFreeString.OLEAUT32(?), ref: 00D677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D677DE
SysAllocString.OLEAUT32(?), ref: 00D677EC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 79063e285abdd136e0c9329b6d754761113d7e5e4269e3e55d412750ab194a85
Instruction ID: cd2f2b1399c84fc241292d2869f06b6a8400a04143b28ca448c5e8c4bca361ed
Opcode Fuzzy Hash: 79063e285abdd136e0c9329b6d754761113d7e5e4269e3e55d412750ab194a85
Instruction Fuzzy Hash: D021907660821DAFDF10DFA8DD88CBB77ACEB09768B048026FA15DB250D674EC4187B4

Function 00D677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D67842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D67868
SysAllocString.OLEAUT32(00000000), ref: 00D6786B
SysAllocString.OLEAUT32 ref: 00D6788C
SysFreeString.OLEAUT32 ref: 00D67895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D678AF
SysAllocString.OLEAUT32(?), ref: 00D678BD

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9840e87f2f43caf93fa386bfeab21367fb848e0fcebbc5f74723707ceea5156b
Instruction ID: 2a2a112d4ffd08051b861db03949e18704126b2e91b45dc5b80e820d611de147
Opcode Fuzzy Hash: 9840e87f2f43caf93fa386bfeab21367fb848e0fcebbc5f74723707ceea5156b
Instruction Fuzzy Hash: E0217131608208BFDB109FB8DC88DAA77ECEB097647148126F915CB2A1DB70EC81CB74

Function 00D95706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D95745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D9579D
_wcslen.LIBCMT ref: 00D957AF
_wcslen.LIBCMT ref: 00D957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D95816

Strings

@U=u, xrefs: 00D95745, 00D9579D, 00D95816

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 2025c66dc50cb4843abfc58eec17eb13918a0d8af1ea5b1bae98c7e5a1213978
Instruction ID: e2860572093de86cd7e02a1414defbfc872d1d39edc7a1015f3de2d3907a1a49
Opcode Fuzzy Hash: 2025c66dc50cb4843abfc58eec17eb13918a0d8af1ea5b1bae98c7e5a1213978
Instruction Fuzzy Hash: A721A571904618EADF218FA0EC84AED77B8FF05724F148226F929EA184D770CA85CF70

Function 00D704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D7052E

Strings

nul, xrefs: 00D70567

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: eb6524f624540845be29cfd35ebcc3c24a9bc68b1c5c64c171c35ceddbb24fb5
Instruction ID: 4a0d11c2a26affda2a48069d8aaf98748cee6ee8831217a3825da84a54895142
Opcode Fuzzy Hash: eb6524f624540845be29cfd35ebcc3c24a9bc68b1c5c64c171c35ceddbb24fb5
Instruction Fuzzy Hash: 0C212C75510305EBDB209F69D845A9A7BB4AF44724F248A19E8A9D62E0E770D940CF30

Function 00D705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D70601

Strings

nul, xrefs: 00D70639

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5951a1fc14f499417a9697b6e63d7522a9083ce16ae3fc2d24e9d76ffafe1e0f
Instruction ID: 27e2e30e3c45a0986f0b7df45fb093dbc30c97acc83a1bbc4be239ea1f64e1a2
Opcode Fuzzy Hash: 5951a1fc14f499417a9697b6e63d7522a9083ce16ae3fc2d24e9d76ffafe1e0f
Instruction Fuzzy Hash: FF21A175500305DBDB209F698C54A9E7BE4AF85720F248B1AF8A5E72E0E7709860CB30

Function 00D940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D0604C
Part of subcall function 00D0600E: GetStockObject.GDI32(00000011), ref: 00D06060
Part of subcall function 00D0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D0606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D94112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D9411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D9412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D94139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D94145

Strings

Msctls_Progress32, xrefs: 00D940E3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ef6133387d5545474e1b89b6159bdacd0f1e13d38f6471d80d844ae5dbf5a61d
Instruction ID: 1eaf83ad69c456ff91fa4fb7f13af8e1e95d858308456d88f9de1fe5c8b3bb3b
Opcode Fuzzy Hash: ef6133387d5545474e1b89b6159bdacd0f1e13d38f6471d80d844ae5dbf5a61d
Instruction Fuzzy Hash: BE11B2B215021ABEEF118FA4CC85EE77F5DEF08798F004111BA18E2190C672DC21DBB4

Function 00D3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D3D7A3: _free.LIBCMT ref: 00D3D7CC

_free.LIBCMT ref: 00D3D82D

Part of subcall function 00D329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000), ref: 00D329DE
Part of subcall function 00D329C8: GetLastError.KERNEL32(00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000,00000000), ref: 00D329F0

_free.LIBCMT ref: 00D3D838
_free.LIBCMT ref: 00D3D843
_free.LIBCMT ref: 00D3D897
_free.LIBCMT ref: 00D3D8A2
_free.LIBCMT ref: 00D3D8AD
_free.LIBCMT ref: 00D3D8B8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ef7701efdcb3ae0b66c438744d0b000df88e293882733a236fc9bb9a18f181fa
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5B115EB1D80B14AAD661BFB0EC47FDB7BDDEF00700F400825B69AA6292DB75B5058E70

Function 00D6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D6DA74
LoadStringW.USER32(00000000), ref: 00D6DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D6DA91
LoadStringW.USER32(00000000), ref: 00D6DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D6DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D6DAB9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 16bfc0588a14dfa3fb9d025c59464e279140fbdaba227cd506650e1508120d0c
Instruction ID: 71f79b43ae25beb6bec5a6d03fff683fbaac5c6b18da94189090f1165fce80a4
Opcode Fuzzy Hash: 16bfc0588a14dfa3fb9d025c59464e279140fbdaba227cd506650e1508120d0c
Instruction Fuzzy Hash: 14016DF29143087FEB10EBE49D89EEB766CEB08301F401496B746E2141EA749E848F74

Function 00D7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(013BE948,013BE948), ref: 00D7097B
EnterCriticalSection.KERNEL32(013BE928,00000000), ref: 00D7098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00D7099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D709A9
CloseHandle.KERNEL32(00000000), ref: 00D709B8
InterlockedExchange.KERNEL32(013BE948,000001F6), ref: 00D709C8
LeaveCriticalSection.KERNEL32(013BE928), ref: 00D709CF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 46a2ba59cf6b05f22d4b2f398d1a25a48cdbab9a90854fcf6f79a8b9997e116a
Instruction ID: be9676827722f9df404f87ee6021140d3b048c1e21e1347913bd69fcd1ed25ae
Opcode Fuzzy Hash: 46a2ba59cf6b05f22d4b2f398d1a25a48cdbab9a90854fcf6f79a8b9997e116a
Instruction Fuzzy Hash: E3F01D31552A02EBD7415BA4EE89AD67A25BF01702F842016F201919A0D775A465CFB4

Function 00D301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00D300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D300D6
__allrem.LIBCMT ref: 00D300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3010B
__allrem.LIBCMT ref: 00D30122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D30140

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 22ac1d94c2443cabc2520fb6339e5b9a17b0194034abf020bba949292cf83a21
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: B1814472A00B169BE7249F28DC52B6B77F8EF51724F28453AF551D6281E770D9048BB0

Function 00D361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D282D9,00D282D9,?,?,?,00D3644F,00000001,00000001,8BE85006), ref: 00D36258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D3644F,00000001,00000001,8BE85006,?,?,?), ref: 00D362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D363D8
__freea.LIBCMT ref: 00D363E5

Part of subcall function 00D33820: RtlAllocateHeap.NTDLL(00000000,?,00DD1444,?,00D1FDF5,?,?,00D0A976,00000010,00DD1440,00D013FC,?,00D013C6,?,00D01129), ref: 00D33852

__freea.LIBCMT ref: 00D363EE
__freea.LIBCMT ref: 00D36413

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a083e52fba10bcfac5567ce4e14316db45d126b81f871a321ca82500fdd19749
Instruction ID: 546b8a420047bab1ee2f911d3c4befa4729f8e2b0b912efc995a3e4dffbf3b4e
Opcode Fuzzy Hash: a083e52fba10bcfac5567ce4e14316db45d126b81f871a321ca82500fdd19749
Instruction Fuzzy Hash: 9851BE72A00216BBEB259F64DD81EBF7BAAEB44750F1D8629FC05E6141EB34DC50C6B0

Function 00D8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D8B6AE,?,?), ref: 00D8C9B5
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8C9F1
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8CA68
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D8BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D8BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D8BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D8BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D8BDF3
RegCloseKey.ADVAPI32(?), ref: 00D8BDFF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c20900f228240d3ec6d0aae98d0aeea980e00b70f71ed1a61d5c930e69c526f4
Instruction ID: e8fa61321d26b8e345b81c18cfc188d9bde3bc1c86ae9c4ff26537726553763b
Opcode Fuzzy Hash: c20900f228240d3ec6d0aae98d0aeea980e00b70f71ed1a61d5c930e69c526f4
Instruction Fuzzy Hash: 60817E70108241AFD714EF24C895E2ABBE5FF84318F14855DF4994B2A2DB31ED45CBA2

Function 00D5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00D5F7B9
SysAllocString.OLEAUT32(00000001), ref: 00D5F860
VariantCopy.OLEAUT32(00D5FA64,00000000), ref: 00D5F889
VariantClear.OLEAUT32(00D5FA64), ref: 00D5F8AD
VariantCopy.OLEAUT32(00D5FA64,00000000), ref: 00D5F8B1
VariantClear.OLEAUT32(?), ref: 00D5F8BB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b241a9f5ec8921cdb1008291cb0f53ea8b56f58994898208abb0c43547eb54c1
Instruction ID: eea1ad161489730b6692edfc1e6906fb91417da1c55c8479fea5c8f1442922ac
Opcode Fuzzy Hash: b241a9f5ec8921cdb1008291cb0f53ea8b56f58994898208abb0c43547eb54c1
Instruction Fuzzy Hash: 9A51C531610310BACF20AB65D895B2DB3A8EF45312B249467FD45DF296DB709C84CFB6

Function 00D7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00D07620: _wcslen.LIBCMT ref: 00D07625

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D794E5
_wcslen.LIBCMT ref: 00D79506
_wcslen.LIBCMT ref: 00D7952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D79585

Strings

X, xrefs: 00D79412

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a4987f0abd5c9a3f59aff050ed0be45b49b6a205b79b3d2a9b84774d9233cd81
Instruction ID: e7798985e9983da6af008cc18c27617bc3d9c26f30829e5aab47aebd7f51246f
Opcode Fuzzy Hash: a4987f0abd5c9a3f59aff050ed0be45b49b6a205b79b3d2a9b84774d9233cd81
Instruction Fuzzy Hash: EDE16E715083509FD724DF24C891B6AB7E4EF85314F08856DE88D9B2A2EB31ED45CBB2

Function 00D1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

BeginPaint.USER32(?,?,?), ref: 00D19241
GetWindowRect.USER32(?,?), ref: 00D192A5
ScreenToClient.USER32(?,?), ref: 00D192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D192D3
EndPaint.USER32(?,?,?,?,?), ref: 00D19321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D571EA

Part of subcall function 00D19339: BeginPath.GDI32(00000000), ref: 00D19357

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1c7da16cb46918cbfbc65f704a081204b54e98a8a48809d2fecb458cefac086b
Instruction ID: 0b10e45a65f1dc4a2335c255382ed57569ba74ac1af8c1ca93b57e8f809c733d
Opcode Fuzzy Hash: 1c7da16cb46918cbfbc65f704a081204b54e98a8a48809d2fecb458cefac086b
Instruction Fuzzy Hash: C1419F70105300BFD711DF64ECA4FAABBA8EB46721F14022AF9A4C72A1CB319885DB71

Function 00D707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D7080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D70847
EnterCriticalSection.KERNEL32(?), ref: 00D70863
LeaveCriticalSection.KERNEL32(?), ref: 00D708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D70921

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 4112594a0fcf9a7d19b177e653a48247261f8df928639fd14acc569e23118f10
Instruction ID: d1d98a430af7953f3eb064d831f324628701ff2cf09501be5990c9cafbc19df4
Opcode Fuzzy Hash: 4112594a0fcf9a7d19b177e653a48247261f8df928639fd14acc569e23118f10
Instruction Fuzzy Hash: 26411871A00205EBDF14AF54DC85AAA7BB9FF04310B5880A5F904AA296DB30DE65DBB4

Function 00D7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D03A97,?,?,00D02E7F,?,?,?,00000000), ref: 00D03AC2

_wcslen.LIBCMT ref: 00D7587B
CoInitialize.OLE32(00000000), ref: 00D75995
CoCreateInstance.OLE32(00D9FCF8,00000000,00000001,00D9FB68,?), ref: 00D759AE
CoUninitialize.OLE32 ref: 00D759CC

Strings

.lnk, xrefs: 00D75876, 00D758C1, 00D75985

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: bb14e42664871cb732145ea9a66efaef5286f5c333f86e57db56f6e999f6ede8
Instruction ID: cabb2f9c5cb2b15ae07c7385d6aa1edc7e803e96b1d5a73d286b57102989abb4
Opcode Fuzzy Hash: bb14e42664871cb732145ea9a66efaef5286f5c333f86e57db56f6e999f6ede8
Instruction Fuzzy Hash: 4ED163706087019FC714DF24D484A2ABBE5FF89714F14885DF88A9B3A1EB71EC45CBA2

Function 00D6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D60FCA
Part of subcall function 00D60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D60FD6
Part of subcall function 00D60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D60FE5
Part of subcall function 00D60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D60FEC
Part of subcall function 00D60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D61002

GetLengthSid.ADVAPI32(?,00000000,00D61335), ref: 00D617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D617BA
HeapAlloc.KERNEL32(00000000), ref: 00D617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D617DA
GetProcessHeap.KERNEL32(00000000,00000000,00D61335), ref: 00D617EE
HeapFree.KERNEL32(00000000), ref: 00D617F5

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cce1d081d44e6fc3692452d64486daf6828dc4b5e87a9302600ee0a542a9c2e4
Instruction ID: 5e02274f3eae24fd05b9c2c0827aa2b30bd6acbbfe373f18ab7a6739ed4c94ba
Opcode Fuzzy Hash: cce1d081d44e6fc3692452d64486daf6828dc4b5e87a9302600ee0a542a9c2e4
Instruction Fuzzy Hash: AD117936610305EFDB109FA4CC49BAE7BA9FB46355F184419F581E7210D736AA44CB70

Function 00D614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D61506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D61515
CloseHandle.KERNEL32(00000004), ref: 00D61520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D6154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D61563

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 52a96ef5a7be552bedd181b358e062db4ef95796628a46ec03ea7e9d2fcec248
Instruction ID: ab59cbb7a3030449dfaf971bca59ca65b54984530665f00251b294d8ce8041d1
Opcode Fuzzy Hash: 52a96ef5a7be552bedd181b358e062db4ef95796628a46ec03ea7e9d2fcec248
Instruction Fuzzy Hash: 74112676501209ABDF118FA8EE49BDE7BA9FF48748F084025FA05A2160C375DE60DB71

Function 00D23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D23379,00D22FE5), ref: 00D23390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D2339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D233B7
SetLastError.KERNEL32(00000000,?,00D23379,00D22FE5), ref: 00D23409

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 693bb25ae2035045b6e2ec7a1012e22a22965c6d2d0a1b25acee0b274841662e
Instruction ID: 52b3fccace521db061d0095d9195ab404087ffa10109b7690d9b86cd19161e2d
Opcode Fuzzy Hash: 693bb25ae2035045b6e2ec7a1012e22a22965c6d2d0a1b25acee0b274841662e
Instruction Fuzzy Hash: 14012832618333BEA6153774BC85A262A98EB3577E7200229F510C12F0EF154E036574

Function 00D32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D35686,00D43CD6,?,00000000,?,00D35B6A,?,?,?,?,?,00D2E6D1,?,00DC8A48), ref: 00D32D78
_free.LIBCMT ref: 00D32DAB
_free.LIBCMT ref: 00D32DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00D2E6D1,?,00DC8A48,00000010,00D04F4A,?,?,00000000,00D43CD6), ref: 00D32DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00D2E6D1,?,00DC8A48,00000010,00D04F4A,?,?,00000000,00D43CD6), ref: 00D32DEC
_abort.LIBCMT ref: 00D32DF2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9579bc870cb770178a2ff86c5c3117c97c51af61a783ce2f5940b42884c307f0
Instruction ID: 4a94d7b85e4e37838cd19d74b2d1ab35270c95fe47822802aaa57727498375c7
Opcode Fuzzy Hash: 9579bc870cb770178a2ff86c5c3117c97c51af61a783ce2f5940b42884c307f0
Instruction Fuzzy Hash: A0F0C835D457112BC6122735BC06F3B2559EFC17B1F2C4419F824D32E2EF64880251B0

Function 00D98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D19693
Part of subcall function 00D19639: SelectObject.GDI32(?,00000000), ref: 00D196A2
Part of subcall function 00D19639: BeginPath.GDI32(?), ref: 00D196B9
Part of subcall function 00D19639: SelectObject.GDI32(?,00000000), ref: 00D196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D98A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D98A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D98A70
LineTo.GDI32(?,00000000,00000003), ref: 00D98A80
EndPath.GDI32(?), ref: 00D98A90
StrokePath.GDI32(?), ref: 00D98AA0

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d0ebbbc3e3d11bae18e93803820df27c06f64a44c265a3e179ceaaa280985d74
Instruction ID: 56dcde6e9e299bf9cd79fdc036c47a4adcd3d75f9c7e2ac8a66c875e0ada514c
Opcode Fuzzy Hash: d0ebbbc3e3d11bae18e93803820df27c06f64a44c265a3e179ceaaa280985d74
Instruction Fuzzy Hash: 3B11C976040209FFDF129F94EC88EAA7F6DEB08394F048012FA199A2A1C7719D55DFB0

Function 00D651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D65218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D65229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D65230
ReleaseDC.USER32(00000000,00000000), ref: 00D65238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D6524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D65261

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2a4ebe68737848e08e211e9cb18e99165709bfc8396aa9f60d9d5a5fb36beb0e
Instruction ID: ead157b5c2d944e6739d08414e1feadf374903c31537877153cafa11ea367559
Opcode Fuzzy Hash: 2a4ebe68737848e08e211e9cb18e99165709bfc8396aa9f60d9d5a5fb36beb0e
Instruction Fuzzy Hash: 3F014B75A40718BBEF109BA69C49A5EBFB8EF48751F044066FA04EB391D6709804CBB4

Function 00D01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D01BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D01BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D01C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D01C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D01C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D01C22

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a1df962c2152a93071504bd139fdb0f31b7163a592a9213730f14071be1baaf7
Instruction ID: f345780a6d40a14efb66f6bef0c52fcb71b70ae90ca570eaab7efe6da37c5a5e
Opcode Fuzzy Hash: a1df962c2152a93071504bd139fdb0f31b7163a592a9213730f14071be1baaf7
Instruction Fuzzy Hash: BA016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00D6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D6EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D6EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D6EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D6EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D6EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D6EB75

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 09c537f194209ab2cb79ecbafca414259c85aa384a3b9d9f5a56600de1effbc8
Instruction ID: dab94dad52906bc71cf7e89a9ca5bf1cc54fec849d7899d70e8f0a6238eafa67
Opcode Fuzzy Hash: 09c537f194209ab2cb79ecbafca414259c85aa384a3b9d9f5a56600de1effbc8
Instruction Fuzzy Hash: 6CF05472250358BBE72157529C0EEEF3E7CEFCAB11F00115AF601E1291D7A05A01C6B5

Function 00D61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D6187F
UnloadUserProfile.USERENV(?,?), ref: 00D6188B
CloseHandle.KERNEL32(?), ref: 00D61894
CloseHandle.KERNEL32(?), ref: 00D6189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D618A5
HeapFree.KERNEL32(00000000), ref: 00D618AC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c8061bad9113283371f47b7df8089a99222c977a1054d9e01ed0f1afa8f8befd
Instruction ID: fdeb0cd357eaa856b5697c6a9ab153169c0c64d067e5e86f281be4af25fce956
Opcode Fuzzy Hash: c8061bad9113283371f47b7df8089a99222c977a1054d9e01ed0f1afa8f8befd
Instruction Fuzzy Hash: DFE0E536114301BBDB015FA1EE0C90ABF39FF59B22B109222F225D1270CB329420DF74

Function 00D6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07620: _wcslen.LIBCMT ref: 00D07625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D6C6EE
_wcslen.LIBCMT ref: 00D6C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D6C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D6C7CA

Strings

0, xrefs: 00D6C6AF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e09149083a542de6bbb9d869f7f9b75e92e930e82c8fed947bf64520cb476792
Instruction ID: 6e0ae65bb44b095afaba7b24641f49b10e79312812f64b56758f8588669c22ce
Opcode Fuzzy Hash: e09149083a542de6bbb9d869f7f9b75e92e930e82c8fed947bf64520cb476792
Instruction Fuzzy Hash: B251C171624301ABD7109F28D885B7B77E4EF45314F082A2EF9E5D32A1DB60D9488FB6

Function 00D8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D8AEA3

Part of subcall function 00D07620: _wcslen.LIBCMT ref: 00D07625

GetProcessId.KERNEL32(00000000), ref: 00D8AF38
CloseHandle.KERNEL32(00000000), ref: 00D8AF67

Strings

<, xrefs: 00D8AE6B
@, xrefs: 00D8AE72

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7052044d97faee23e3276376668397d5a7628b96f6eb105e2e4b6ec5cb387dd0
Instruction ID: aa4b7f9528206d816c214b27e84de989ad5e29de77cc3774d7a39b2235dc132b
Opcode Fuzzy Hash: 7052044d97faee23e3276376668397d5a7628b96f6eb105e2e4b6ec5cb387dd0
Instruction Fuzzy Hash: DA714770A00615DFDB15EF58C484A9EBBF0EF08314F04849AE85AAB392CB74ED41CBB1

Function 00D96278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(013CE1B0,?), ref: 00D962E2
ScreenToClient.USER32(?,?), ref: 00D96315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D96382

Strings

@U=u, xrefs: 00D963DD

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: eb5ca7c4bbb3a9b9c16bf0dbfcf95f5d720cfcbc16bfcc82274e8baad5877c6a
Instruction ID: 6f189f4af36fde0314fc5797ec0437935469279c3efc2d332e3547ae0af7b156
Opcode Fuzzy Hash: eb5ca7c4bbb3a9b9c16bf0dbfcf95f5d720cfcbc16bfcc82274e8baad5877c6a
Instruction Fuzzy Hash: 83510C74A01209EFDF10DF68D990AAE7BB5EB45360F18825AF815D72A0D730ED41CB60

Function 00D62716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D621D0,?,?,00000034,00000800,?,00000034), ref: 00D6B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D62760

Part of subcall function 00D6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D6B3F8

Part of subcall function 00D6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D6B355
Part of subcall function 00D6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D62194,00000034,?,?,00001004,00000000,00000000), ref: 00D6B365
Part of subcall function 00D6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D62194,00000034,?,?,00001004,00000000,00000000), ref: 00D6B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D6281A

Strings

@, xrefs: 00D62832
@U=u, xrefs: 00D62760, 00D627CD, 00D6281A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: ff2768583fba308cb1c49ef5f27e77fb367e789a9657c60d22d4931ab49b2acc
Instruction ID: 53bd66092a5f3eeb1cdd0f4754f024e4e7d402977a3bbfd4253fbec62b0d191e
Opcode Fuzzy Hash: ff2768583fba308cb1c49ef5f27e77fb367e789a9657c60d22d4931ab49b2acc
Instruction Fuzzy Hash: 3A412C76900218AFDB10DBA4CD41FEEBBB8EB05310F004055EA55B7191DB706E85CBB0

Function 00D6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D67206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D6723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D6724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D672CF

Strings

DllGetClassObject, xrefs: 00D67242

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0279e57f2258c909ec183334524e4cfc5add407c287ee984e5e91d5537b98c37
Instruction ID: 159a895ddd4e1171dc29852f74902d4b59583ddc26d8d34351e2da7742314211
Opcode Fuzzy Hash: 0279e57f2258c909ec183334524e4cfc5add407c287ee984e5e91d5537b98c37
Instruction Fuzzy Hash: 4E415E71A04208EFDB15CF54C895A9A7BA9EF48718F1480ADFD05DF20AD7B1D944CBB4

Function 00D952C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D95352
GetWindowLongW.USER32(?,000000F0), ref: 00D95375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D95382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D953A8

Strings

@U=u, xrefs: 00D95352

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: 34b8d40110aff862f38767451aebe2c9693b370994a0da28405aef34784807d5
Instruction ID: da26714b9aac86810c977e18fa5ec985a30ff71621ccb2ec9137c143ebc6d955
Opcode Fuzzy Hash: 34b8d40110aff862f38767451aebe2c9693b370994a0da28405aef34784807d5
Instruction Fuzzy Hash: 16310334A55A08FFEF329E54EC15FE83761EB05390F5C4122FA51862E4C7B0AD809B71

Function 00D8C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D8C9F1
_wcslen.LIBCMT ref: 00D8CA68
_wcslen.LIBCMT ref: 00D8CA9E
_wcslen.LIBCMT ref: 00D8CAF9
_wcslen.LIBCMT ref: 00D8CB2F
_wcslen.LIBCMT ref: 00D8CB7F

Strings

HKLM, xrefs: 00D8CA98, 00D8CA9D
HKEY_LOCAL_MACHINE, xrefs: 00D8CA62, 00D8CA67

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 05d46e19562789ccefbeec95cb1960bc67e890b3eec4936d1ad90b9eae52ccce
Instruction ID: 6cb5653a018c0ba67fd485c1aa2680185bcca312ade6c8c64f3276ce1645792a
Opcode Fuzzy Hash: 05d46e19562789ccefbeec95cb1960bc67e890b3eec4936d1ad90b9eae52ccce
Instruction Fuzzy Hash: E4310673A6016ACBCB28FF6C98406BF3391DBA1754B0D502AEC55AB345E671CE8097B0

Function 00D92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D92F8D
LoadLibraryW.KERNEL32(?), ref: 00D92F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D92FA9
DestroyWindow.USER32(?), ref: 00D92FB1

Strings

SysAnimate32, xrefs: 00D92F68

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 4ac5ea28c7828c1d0434a57518ff77ff8313fa87ec7316162697d587260a67d0
Instruction ID: 326a36f8c9e7e74afa1f425cf091f321ee135ed61600bab3f4e714f97a3c9107
Opcode Fuzzy Hash: 4ac5ea28c7828c1d0434a57518ff77ff8313fa87ec7316162697d587260a67d0
Instruction Fuzzy Hash: 94218672200209BBEF109FA6DC80EBB37B9EF59368F140629FA54D21A0D771DC919B70

Function 00D95660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D956BB
_wcslen.LIBCMT ref: 00D956CD
_wcslen.LIBCMT ref: 00D956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D95816

Strings

@U=u, xrefs: 00D956BB, 00D95816

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 8f781e13ba5ef4f3066fcfcee2d22b8d22dcfec8fef4ac2338f4dbc1b4ccbc74
Instruction ID: 19b530b1e69470d220649931ec9fc7b45d62024cd0e531dcdbbfadb4b821ad60
Opcode Fuzzy Hash: 8f781e13ba5ef4f3066fcfcee2d22b8d22dcfec8fef4ac2338f4dbc1b4ccbc74
Instruction Fuzzy Hash: 9B110375600618A6DF21DF61EC81AEE37ACEF11764B14403AF915D6185E770CA80CF70

Function 00D0600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D0604C
GetStockObject.GDI32(00000011), ref: 00D06060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D0606A

Strings

@U=u, xrefs: 00D0606A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 80a8a20ecedc28ddb7b1b1ad7a73a623b8b38a37a3c44766c7cf8db857a8e18a
Instruction ID: 584f3551828866bceba4e3078f6906ea7c1e3c052387070b143c21a513a207fc
Opcode Fuzzy Hash: 80a8a20ecedc28ddb7b1b1ad7a73a623b8b38a37a3c44766c7cf8db857a8e18a
Instruction Fuzzy Hash: 4F116D72541609BFEF124FA4DC54FEABB69EF083A4F040216FA1892160D732DC60EBB0

Function 00D24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D24D1E,00D328E9,?,00D24CBE,00D328E9,00DC88B8,0000000C,00D24E15,00D328E9,00000002), ref: 00D24D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D24DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00D24D1E,00D328E9,?,00D24CBE,00D328E9,00DC88B8,0000000C,00D24E15,00D328E9,00000002,00000000), ref: 00D24DC3

Strings

mscoree.dll, xrefs: 00D24D86
CorExitProcess, xrefs: 00D24D98

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1d136e6cdb87d95f102b61235006e48e1b5ab5fa6552b38157ec89f0ae05926
Instruction ID: b3db6ae9dca2d027a05bcf1b0a1738a98e9f7513954efb9eafe5988646b9fb60
Opcode Fuzzy Hash: f1d136e6cdb87d95f102b61235006e48e1b5ab5fa6552b38157ec89f0ae05926
Instruction Fuzzy Hash: B7F0AF30A10318BBDB109F90EC09BADBFB4EF04715F0400A5F809E2260CB305D40CAB0

Function 00D5D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00D5D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D5D3BF
FreeLibrary.KERNEL32(00000000), ref: 00D5D3E5

Strings

X64, xrefs: 00D5D2A8
GetSystemWow64DirectoryW, xrefs: 00D5D3B9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 10ba6c4ab54813e2bf8ca5e88b45689f0835695b7318245c89076dc9293655b3
Instruction ID: 6212f8197d9118443db80938031b5747858f354c9deaedab617940f1a575b24d
Opcode Fuzzy Hash: 10ba6c4ab54813e2bf8ca5e88b45689f0835695b7318245c89076dc9293655b3
Instruction Fuzzy Hash: F1F02031406B22ABEF305B108C08A697622AF00703F58915AEC42F2220DB20CD8C8ABA

Function 00D04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D04EDD,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D04EAE
FreeLibrary.KERNEL32(00000000,?,?,00D04EDD,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04EC0

Strings

kernel32.dll, xrefs: 00D04E94
Wow64DisableWow64FsRedirection, xrefs: 00D04EA8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d578d8367317a0b7e5851f411a1fe75f07d89c6b830596d0612dd4fd5253ce61
Instruction ID: bdffb58c2fd5122598e79527c054de00b7ab599a6dcdd07ea1273876b90317b3
Opcode Fuzzy Hash: d578d8367317a0b7e5851f411a1fe75f07d89c6b830596d0612dd4fd5253ce61
Instruction Fuzzy Hash: B4E08C36A227225BD2221B25BC18F6B6658AF81B62B090116FE08E3290DB60CD0681F9

Function 00D04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D43CDE,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D04E74
FreeLibrary.KERNEL32(00000000,?,?,00D43CDE,?,00DD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D04E87

Strings

kernel32.dll, xrefs: 00D04E5B
Wow64RevertWow64FsRedirection, xrefs: 00D04E6E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b70677a6c5efd6a95f33825bdea2cf44843fd34279a47ddcd1044451d7e9e3f2
Instruction ID: 2a759e8fbb9dbcb6c9331ad9a0d6ba5a533ddec6f370e348c6a1cdfd95e0ed26
Opcode Fuzzy Hash: b70677a6c5efd6a95f33825bdea2cf44843fd34279a47ddcd1044451d7e9e3f2
Instruction Fuzzy Hash: D3D0C2315227225B8A221B24BC08F8B2A18EF81B11309011ABA0CF3290CF20CD0281F4

Function 00D8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D8A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D8A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D8A468
CloseHandle.KERNEL32(?), ref: 00D8A63D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f4e6df11b74689cc1895f94fc0721a679814c9aec250d511c0704dfc6902a659
Instruction ID: ddb3359d5c749c7412dfe4e6fc9ac1510dd1c3445be598503a894dc03fefc294
Opcode Fuzzy Hash: f4e6df11b74689cc1895f94fc0721a679814c9aec250d511c0704dfc6902a659
Instruction Fuzzy Hash: FDA19271604701AFE720EF18D886F2AB7E5EF84714F14885DF5599B2D2DBB0EC418BA2

Function 00D3BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00DA3700), ref: 00D3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00DD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00D3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00DD1270,000000FF,?,0000003F,00000000,?), ref: 00D3BC36
_free.LIBCMT ref: 00D3BB7F

Part of subcall function 00D329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000), ref: 00D329DE
Part of subcall function 00D329C8: GetLastError.KERNEL32(00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000,00000000), ref: 00D329F0

_free.LIBCMT ref: 00D3BD4B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 1ed9e97a487b84913d9af5cedd70cdfb6d5dae82d1236495b198961a3b50ecdc
Instruction ID: 9e041937c6954d9897febed7c537357f7dca6fcb444d89dcb51411cdceafd825
Opcode Fuzzy Hash: 1ed9e97a487b84913d9af5cedd70cdfb6d5dae82d1236495b198961a3b50ecdc
Instruction Fuzzy Hash: AF51C471900319AFCB20EF759C829AABBB8EF40370F14026BE655D7291EB309E40CB74

Function 00D6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D6CF22,?), ref: 00D6DDFD

Part of subcall function 00D6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D6CF22,?), ref: 00D6DE16

Part of subcall function 00D6E199: GetFileAttributesW.KERNEL32(?,00D6CF95), ref: 00D6E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D6E473
MoveFileW.KERNEL32(?,?), ref: 00D6E4AC
_wcslen.LIBCMT ref: 00D6E5EB
_wcslen.LIBCMT ref: 00D6E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D6E650

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 20bae64c3230d891cd1147c246d666e2d499edfe8428059703eb549c1efbb20f
Instruction ID: a37b2e68c2f89eed0f13913293460c7842977c59b65082a64c2b609bb1d0b9ee
Opcode Fuzzy Hash: 20bae64c3230d891cd1147c246d666e2d499edfe8428059703eb549c1efbb20f
Instruction Fuzzy Hash: A35171B24083849BC724EBA0D8919DBB3DCEF95344F04491EF689D3191EF74E5888B7A

Function 00D8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D8B6AE,?,?), ref: 00D8C9B5
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8C9F1
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8CA68
Part of subcall function 00D8C998: _wcslen.LIBCMT ref: 00D8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D8BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D8BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D8BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D8BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D8BBB3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6318fe723fad8ddd02822f1e30b42a23129921aef5bc93dcc3a2d7998d5c002b
Instruction ID: e06b388c49cf1078a61d74809d0eacd4b23d7cdc88bbf231483e69d6bd8081bd
Opcode Fuzzy Hash: 6318fe723fad8ddd02822f1e30b42a23129921aef5bc93dcc3a2d7998d5c002b
Instruction Fuzzy Hash: 6F618031208241AFD714EF14C491E2ABBE5FF84318F58855DF4998B2A2DB31ED45CBB2

Function 00D68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D68BCD
VariantClear.OLEAUT32 ref: 00D68C3E
VariantClear.OLEAUT32 ref: 00D68C9D
VariantClear.OLEAUT32(?), ref: 00D68D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D68D3B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 0ef19356d7c04a471b9e315487f73355789411d5c30a2f04fc59eab2f4c27892
Instruction ID: fd68f97ab5e77e049fe1e1265fc395057ea1eb385f2a3da220b6cb59c115b89e
Opcode Fuzzy Hash: 0ef19356d7c04a471b9e315487f73355789411d5c30a2f04fc59eab2f4c27892
Instruction Fuzzy Hash: 3D515BB5A00619EFCB14CF68C894AAAB7F9FF89314B158559F905DB350E730E911CFA0

Function 00D78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D78BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D78BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D78C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D78C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D78C5F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: aae5897d65ae996dc4c717f9cc2d0962cc24799dca1595726e1360639d88b2a8
Instruction ID: 4c74c2685b03034753a3b906508ad7e225c3a337139d981c8c34b29bbcb0513f
Opcode Fuzzy Hash: aae5897d65ae996dc4c717f9cc2d0962cc24799dca1595726e1360639d88b2a8
Instruction Fuzzy Hash: B8515C75A00215AFCB01DF64C885AA9BBF5FF48314F08C459E849AB3A2DB31ED41DBB0

Function 00D88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D88F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D88FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D88FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D89032
FreeLibrary.KERNEL32(00000000), ref: 00D89052

Part of subcall function 00D1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D71043,?,75B8E610), ref: 00D1F6E6
Part of subcall function 00D1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00D5FA64,00000000,00000000,?,?,00D71043,?,75B8E610,?,00D5FA64), ref: 00D1F70D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 8ca5b7e86c980351ee1cd45db6a274c460a84ac187b531c99d97aa5272af207a
Instruction ID: 29857d3b2f993b5bb4e06baf4d58ca3e6133d743843c75a5c6153aa3594a8fdb
Opcode Fuzzy Hash: 8ca5b7e86c980351ee1cd45db6a274c460a84ac187b531c99d97aa5272af207a
Instruction Fuzzy Hash: B4513C35604205DFC711EF54C4949ADBBF1FF49324B488099E94AAB362DB31ED85CFA1

Function 00D32051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D320C3
_free.LIBCMT ref: 00D320E3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ef1f759cbb6d07fcb78e2e8213ec0e5a258e34b65a4128859d5c6d8fc6a42689
Instruction ID: a4e11d6fba713cb1aa0f9d3484642459a3fc374d189f4d8563ae07658da2342f
Opcode Fuzzy Hash: ef1f759cbb6d07fcb78e2e8213ec0e5a258e34b65a4128859d5c6d8fc6a42689
Instruction Fuzzy Hash: BB41C172E00300AFCB24DF78C981A6EB7B5EF89714F1945A8E615EB355DB31AD01CBA0

Function 00D1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D19141
ScreenToClient.USER32(00000000,?), ref: 00D1915E
GetAsyncKeyState.USER32(00000001), ref: 00D19183
GetAsyncKeyState.USER32(00000002), ref: 00D1919D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 618eb43c149c75d08861abdfb73413ba8bdf69fe4d551285d9f49fb69b6803aa
Instruction ID: 1a3bcad9226ceb0ef62675ea0c36d7ad341b959f01e881d0bff527fa533ca0cd
Opcode Fuzzy Hash: 618eb43c149c75d08861abdfb73413ba8bdf69fe4d551285d9f49fb69b6803aa
Instruction Fuzzy Hash: CB416071A0861ABBDF159F64D858BEEF774FB05320F244215E869A32D0CB3069D4CB71

Function 00D73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D73922
TranslateMessage.USER32(?), ref: 00D7394B
DispatchMessageW.USER32(?), ref: 00D73955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D73966

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f2ab8915e511b021904a50d9afd8d384b7f656a3cbef0e23eeeae98dced401b2
Instruction ID: 73ace7744a70b1e966696ae0396092772c7b0fd09af92227d6688491939de932
Opcode Fuzzy Hash: f2ab8915e511b021904a50d9afd8d384b7f656a3cbef0e23eeeae98dced401b2
Instruction Fuzzy Hash: A031D970505341BEEB35CB74D848BB637A4EB05300F08855FD56AC2290F3B49685EF31

Function 00D7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00D7CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D7CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D7C21E,00000000), ref: 00D7CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D7C21E,00000000), ref: 00D7CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D7C21E,00000000), ref: 00D7CFF2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e60936546440e316234d9cf84e828fdfdeebda9a1d9b335becf9c745af98daa7
Instruction ID: c7fbfecdadf7d70725ab58b68f037e46362422bc8cc501b770f12df57c7fbdd2
Opcode Fuzzy Hash: e60936546440e316234d9cf84e828fdfdeebda9a1d9b335becf9c745af98daa7
Instruction Fuzzy Hash: 8B317C71615305AFDB20DFA5D884AABBBF9EF04310B14942EF50AD2200EB30EE409B70

Function 00D61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D61915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D619E2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9e9d7545dd25e8d570dbc3e8524e6e2e4b095d1fbca86ede9a7f7cbb9912f894
Instruction ID: 0702a865bc5f02f9e6e08a9e92b0d617f931ccd47c7d562f43366d864038f9ce
Opcode Fuzzy Hash: 9e9d7545dd25e8d570dbc3e8524e6e2e4b095d1fbca86ede9a7f7cbb9912f894
Instruction Fuzzy Hash: 3C31C075A00219EFCB00CFA8CD99ADE3BB5EB04315F18422AF961E72D1C7709944CFA0

Function 00D80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D80951
GetForegroundWindow.USER32 ref: 00D80968
GetDC.USER32(00000000), ref: 00D809A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D809B0
ReleaseDC.USER32(00000000,00000003), ref: 00D809E8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 657d0dfdf51ec7d7a09f09966c16eb14615a7a59db0d24a1bb1191d59cb0849a
Instruction ID: 749ef5e8b97ce0cac48180192a7aa1f967553642c87d0d792eecae79560d217a
Opcode Fuzzy Hash: 657d0dfdf51ec7d7a09f09966c16eb14615a7a59db0d24a1bb1191d59cb0849a
Instruction Fuzzy Hash: 46218135610204AFD714EF69C888AAEBBE5EF48700F04806DF85AD7362DB30AC44CB70

Function 00D3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D3CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D3CDE9

Part of subcall function 00D33820: RtlAllocateHeap.NTDLL(00000000,?,00DD1444,?,00D1FDF5,?,?,00D0A976,00000010,00DD1440,00D013FC,?,00D013C6,?,00D01129), ref: 00D33852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D3CE0F
_free.LIBCMT ref: 00D3CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D3CE31

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: af42b97f75f34f8c8b258dab5d000ce064be9c74991294cfe0cce9754497e091
Instruction ID: 6434663dea7605240659899bea526b0c756a0ef5a97716a78bc96bc347708f1f
Opcode Fuzzy Hash: af42b97f75f34f8c8b258dab5d000ce064be9c74991294cfe0cce9754497e091
Instruction Fuzzy Hash: 5E01A7726213157F232126B66C8CD7B796DDEC6BE1B19112AFD05F7201EA618D0193B0

Function 00D19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D19693
SelectObject.GDI32(?,00000000), ref: 00D196A2
BeginPath.GDI32(?), ref: 00D196B9
SelectObject.GDI32(?,00000000), ref: 00D196E2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7f330732d393428bd0d6b0259538e60bba5d23acd9f8b1ea8b4c676e07a9e592
Instruction ID: 588c7a8929b7319958916fe58bf8c6de4399f9b250f47c7035e0267caa17c3aa
Opcode Fuzzy Hash: 7f330732d393428bd0d6b0259538e60bba5d23acd9f8b1ea8b4c676e07a9e592
Instruction Fuzzy Hash: 46213674912305BBDB119F64EC387E9BBA8FB00366F140216F820E62A1D7709896CFB4

Function 00D65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D65726
_memcmp.LIBVCRUNTIME ref: 00D65744
_memcmp.LIBVCRUNTIME ref: 00D65757
_memcmp.LIBVCRUNTIME ref: 00D6576F
_memcmp.LIBVCRUNTIME ref: 00D65787

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: aee7f2aeb89a6fe687e62bdb8c38abb5b387a12e2139ede942d9d34aba0ec9fc
Instruction ID: 36853cf2f1cc090ce2f7ee23d5db6fa4d045342141154ec6c65379d7ac976aac
Opcode Fuzzy Hash: aee7f2aeb89a6fe687e62bdb8c38abb5b387a12e2139ede942d9d34aba0ec9fc
Instruction Fuzzy Hash: 0F01B575645619BFD7089610BD82FBB735DDB313A8F148020FD04AB645F761EDA482F0

Function 00D32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D2F2DE,00D33863,00DD1444,?,00D1FDF5,?,?,00D0A976,00000010,00DD1440,00D013FC,?,00D013C6), ref: 00D32DFD
_free.LIBCMT ref: 00D32E32
_free.LIBCMT ref: 00D32E59
SetLastError.KERNEL32(00000000,00D01129), ref: 00D32E66
SetLastError.KERNEL32(00000000,00D01129), ref: 00D32E6F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0e8fa67725bcf51df1b11b85c2f43e5dc1a75f1770a8c436aa1b6611756ca953
Instruction ID: 29f8bc4b36f429a74c775dafe5ad4755172857912e0523c4c318aeaa1cb89956
Opcode Fuzzy Hash: 0e8fa67725bcf51df1b11b85c2f43e5dc1a75f1770a8c436aa1b6611756ca953
Instruction Fuzzy Hash: A901FF36A457016BC6122775AC47E3B2A6AEBC13B1F29402AF965F22A2EB74CC015030

Function 00D6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?,?,00D6035E), ref: 00D6002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?), ref: 00D60046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?), ref: 00D60054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?), ref: 00D60064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D5FF41,80070057,?,?), ref: 00D60070

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7283148cf442a33f029bb578abd481c9028dad0d7b8a01a88aba8e235033040d
Instruction ID: 40a0bce2dcaa7faa00ed8c2ea5980c94fcd4f8b4dd345615df13a3cd9211fddd
Opcode Fuzzy Hash: 7283148cf442a33f029bb578abd481c9028dad0d7b8a01a88aba8e235033040d
Instruction Fuzzy Hash: 14018672620304BFDB108F68DC08BAB7EADEB48792F185125F905D2210EBB1DD408BB0

Function 00D6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D6E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D6E9A5
Sleep.KERNEL32(00000000), ref: 00D6E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D6E9B7
Sleep.KERNEL32 ref: 00D6E9F3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2a50583cbdbe80a4109ce9f72a1ae4e8b6f680e916fec52091ae696ea144db62
Instruction ID: 110e561d899a3fe2c3b9c1a6c41ddab5c75879b48edc62b2cb270d327da2dda1
Opcode Fuzzy Hash: 2a50583cbdbe80a4109ce9f72a1ae4e8b6f680e916fec52091ae696ea144db62
Instruction Fuzzy Hash: 8F010239D01629DBCF00AFE9D859AEEBBB8BF09701F400557E942B2241CB3096558BB6

Function 00D610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D61114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D61120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D6112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D60B9B,?,?,?), ref: 00D61136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D6114D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 48f3e98cd46321e29fc118eb5d04591678c9c38f28fe06afd78222e47a21dc0e
Instruction ID: fd2bc272e708d53cedee4b0fe9a95b34d1d84738cc988ab5e83991d4ca4fb932
Opcode Fuzzy Hash: 48f3e98cd46321e29fc118eb5d04591678c9c38f28fe06afd78222e47a21dc0e
Instruction Fuzzy Hash: B6013CB9210305BFDB114FA5DC49E6A3F6EEF8A3A0B64441AFA45D7360DB31DC009A70

Function 00D60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D60FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D60FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D60FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D60FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D61002

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4a90a30cabc6451badaeb489c5ed365d4b085044ae0360a2386bb28f5024f05b
Instruction ID: 15f85369999b6073dad0a0164be36cc4a044e7095e7997b1585b177c5a84e4cf
Opcode Fuzzy Hash: 4a90a30cabc6451badaeb489c5ed365d4b085044ae0360a2386bb28f5024f05b
Instruction Fuzzy Hash: F3F06D39210302EBDB214FA4DC4EF5A3BADEF89762F644416FA49D7361CA70DC408A70

Function 00D61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D6102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D61036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D61045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D6104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D61062

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d2809d5d0cd1bf869fd1034814a4ba73b28ea06b749d765cb2ceffbde004683e
Instruction ID: 2d1781e719f273e0b4e43bf7104b819be6bed5e824d1d7648ea03e0cc6230fcc
Opcode Fuzzy Hash: d2809d5d0cd1bf869fd1034814a4ba73b28ea06b749d765cb2ceffbde004683e
Instruction Fuzzy Hash: 38F06D39250311EBDB215FA4EC4AF5A3BADEF89761F240416FA49D7360CA70D8408AB0

Function 00D7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D7017D,?,00D732FC,?,00000001,00D42592,?), ref: 00D70324
CloseHandle.KERNEL32(?,?,?,?,00D7017D,?,00D732FC,?,00000001,00D42592,?), ref: 00D70331
CloseHandle.KERNEL32(?,?,?,?,00D7017D,?,00D732FC,?,00000001,00D42592,?), ref: 00D7033E
CloseHandle.KERNEL32(?,?,?,?,00D7017D,?,00D732FC,?,00000001,00D42592,?), ref: 00D7034B
CloseHandle.KERNEL32(?,?,?,?,00D7017D,?,00D732FC,?,00000001,00D42592,?), ref: 00D70358
CloseHandle.KERNEL32(?,?,?,?,00D7017D,?,00D732FC,?,00000001,00D42592,?), ref: 00D70365

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 48d29982c65f726613c2fea63a0646d8340ee244a39df507ee02602f75f9f295
Instruction ID: 2db3215a14a7b6106ea916a169b24eead33e20494b6cf88efb358110819f42dc
Opcode Fuzzy Hash: 48d29982c65f726613c2fea63a0646d8340ee244a39df507ee02602f75f9f295
Instruction Fuzzy Hash: CC019072800B15DFC7309F66D880412FBF9BF502153198A3FD19A52971D371A954CEA0

Function 00D3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D3D752

Part of subcall function 00D329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000), ref: 00D329DE
Part of subcall function 00D329C8: GetLastError.KERNEL32(00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000,00000000), ref: 00D329F0

_free.LIBCMT ref: 00D3D764
_free.LIBCMT ref: 00D3D776
_free.LIBCMT ref: 00D3D788
_free.LIBCMT ref: 00D3D79A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 090d727c3d65008a7ef77cfa89f30924876217fe24147ceb30aa1646bc2883cf
Instruction ID: da3d48fa84ea6e99f45b2fc35eff0b757a41de7f76c45a7d72ffb712d9450e4b
Opcode Fuzzy Hash: 090d727c3d65008a7ef77cfa89f30924876217fe24147ceb30aa1646bc2883cf
Instruction Fuzzy Hash: A2F012B2954316AB8621EB64F9C6D2677DEFB44711FA81845F149D7601CB30FC808E74

Function 00D65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D65C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D65C6F
MessageBeep.USER32(00000000), ref: 00D65C87
KillTimer.USER32(?,0000040A), ref: 00D65CA3
EndDialog.USER32(?,00000001), ref: 00D65CBD

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3f31c9dc79b1bc6cd7b32a1083711a6e27fc719872bd6b4f228273506c6999b2
Instruction ID: 0cb8c5c362df5c35d80db50165ee60aecd9295db3a5eb617262af76009b9cd5c
Opcode Fuzzy Hash: 3f31c9dc79b1bc6cd7b32a1083711a6e27fc719872bd6b4f228273506c6999b2
Instruction Fuzzy Hash: 7A018130510B04AFEB205B10ED4EFA67BB8BB00B05F05155AA583E11E5DBF0A9848BB0

Function 00D322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D322BE

Part of subcall function 00D329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000), ref: 00D329DE
Part of subcall function 00D329C8: GetLastError.KERNEL32(00000000,?,00D3D7D1,00000000,00000000,00000000,00000000,?,00D3D7F8,00000000,00000007,00000000,?,00D3DBF5,00000000,00000000), ref: 00D329F0

_free.LIBCMT ref: 00D322D0
_free.LIBCMT ref: 00D322E3
_free.LIBCMT ref: 00D322F4
_free.LIBCMT ref: 00D32305

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ba1d92f6266bb8f89fc12e6c97b06d9b923985a6925beb3548b01c088fc01fbf
Instruction ID: 8d5cd4ee36ebf461421c4c53bcfa8e8caf169a2006118f86a8e3531d435bcb43
Opcode Fuzzy Hash: ba1d92f6266bb8f89fc12e6c97b06d9b923985a6925beb3548b01c088fc01fbf
Instruction Fuzzy Hash: 7BF03A78C923329B8A12AFA4BC02A2D3F64FB18760F15154BF514D23B1C7310812AFB8

Function 00D195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D195D4
StrokeAndFillPath.GDI32(?,?,00D571F7,00000000,?,?,?), ref: 00D195F0
SelectObject.GDI32(?,00000000), ref: 00D19603
DeleteObject.GDI32 ref: 00D19616
StrokePath.GDI32(?), ref: 00D19631

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ad01b0397c5da98a5c3a57722a13aca924b1bda1462a23b4a9c7c55a101cd5d3
Instruction ID: 0d86ca02507a9c39f4f037e1dfd256644b7addf76d11c2d4e414abda896f2926
Opcode Fuzzy Hash: ad01b0397c5da98a5c3a57722a13aca924b1bda1462a23b4a9c7c55a101cd5d3
Instruction Fuzzy Hash: 40F0C939016304FBDB165F65ED387A47B65EB01322F048216F469E52F1CB308995DF34

Function 00D30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00D310F9
__freea.LIBCMT ref: 00D31117

Part of subcall function 00D31537: _free.LIBCMT ref: 00D3154F

Strings

am/pm, xrefs: 00D3117A
a/p, xrefs: 00D311DE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 05ae7af5dcea291fc99ce68046e89006b9222064756d0cd0dd5ea60de0f0bdcd
Instruction ID: 1f281604232178cc24e328d0e5e33d1ae3a1fd3829c6439f82f2bad05cb44a9f
Opcode Fuzzy Hash: 05ae7af5dcea291fc99ce68046e89006b9222064756d0cd0dd5ea60de0f0bdcd
Instruction Fuzzy Hash: 1AD1CF3D900207DADB289F68C896BFAB7B1EF06700F2C4259E941AB651D7759D80CBB1

Function 00D87B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00D20242: EnterCriticalSection.KERNEL32(00DD070C,00DD1884,?,?,00D1198B,00DD2518,?,?,?,00D012F9,00000000), ref: 00D2024D
Part of subcall function 00D20242: LeaveCriticalSection.KERNEL32(00DD070C,?,00D1198B,00DD2518,?,?,?,00D012F9,00000000), ref: 00D2028A

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D200A3: __onexit.LIBCMT ref: 00D200A9

__Init_thread_footer.LIBCMT ref: 00D87BFB

Part of subcall function 00D201F8: EnterCriticalSection.KERNEL32(00DD070C,?,?,00D18747,00DD2514), ref: 00D20202
Part of subcall function 00D201F8: LeaveCriticalSection.KERNEL32(00DD070C,?,00D18747,00DD2514), ref: 00D20235

Strings

Variable must be of type 'Object'., xrefs: 00D87C3A
G, xrefs: 00D87C7F
5, xrefs: 00D87C78

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ab2f5a244ef667279e1e8cbb5be81e4de864d98215ad4c76d18dfc0171f83541
Instruction ID: afc727c0260fe3b8f9db975fe97ba862705269a05da7f0ba63d0258437c7eebe
Opcode Fuzzy Hash: ab2f5a244ef667279e1e8cbb5be81e4de864d98215ad4c76d18dfc0171f83541
Instruction Fuzzy Hash: 9B913874A04209EFCB14EF58D8919BDB7B1EF49304F248059F846AB292DB71EE45CB71

Function 00D3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6YmCyBvw73.exe,00000104), ref: 00D31769
_free.LIBCMT ref: 00D31834
_free.LIBCMT ref: 00D3183E

Strings

C:\Users\user\Desktop\6YmCyBvw73.exe, xrefs: 00D31760, 00D31767, 00D31796, 00D317CE

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\6YmCyBvw73.exe
API String ID: 2506810119-873884815
Opcode ID: 983b1c43b07e3fb3cd065b33491359c91927c94f724dd362709bbf589f7879ef
Instruction ID: bcd39b28ec57a07a9ce059c2db681f05bb78a73e95d982e614a38f56b911842f
Opcode Fuzzy Hash: 983b1c43b07e3fb3cd065b33491359c91927c94f724dd362709bbf589f7879ef
Instruction Fuzzy Hash: 5B316CB9A41319FBDB21DB999C85D9EBBBCEB85310F1841A6E804D7311D6718E40CBB4

Function 00D6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D6C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D6C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00DD1990,013C5CD8), ref: 00D6C395

Strings

0, xrefs: 00D6C2DF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 35560af7695c94cee3cd64a18d2523c8743bfdb00ee858cc8889df581f70a454
Instruction ID: 7e68b9c8477013c2f1dd8fd6cb297a562de4f729faf8a07d1e6015a177c085e2
Opcode Fuzzy Hash: 35560af7695c94cee3cd64a18d2523c8743bfdb00ee858cc8889df581f70a454
Instruction Fuzzy Hash: 7B418C712143019FD720EF25D884B6ABBE8EB85320F149A1EF9A5973D1D730E904CB72

Function 00D94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D9CC08,00000000,?,?,?,?), ref: 00D944AA
GetWindowLongW.USER32 ref: 00D944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D944D7

Strings

SysTreeView32, xrefs: 00D9447C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 6cae9f689ff28bc6dd6bb9ed73fdd18ba92ecd787bae4c8d49c2cfd40a13ed62
Instruction ID: 9f298ab54b1b871071bbc8ddc9dfe3aea14b2eeceb42eb52305d42ffa99ab1d7
Opcode Fuzzy Hash: 6cae9f689ff28bc6dd6bb9ed73fdd18ba92ecd787bae4c8d49c2cfd40a13ed62
Instruction Fuzzy Hash: 3F316B31210205AFDF208E78DC45FEA7BA9EB08324F254715F979A22E1DB70EC519B70

Function 00D8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D83077,?,?), ref: 00D83378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D8307A
_wcslen.LIBCMT ref: 00D8309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D83106

Strings

255.255.255.255, xrefs: 00D83095, 00D8309A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: df17dc7b5b7137540fb01ad39ae02476076e6da4ea5d964c4c34eb0cf50bd984
Instruction ID: 809db00060c2e5edf9c7e567c9318d5a8293f860befbb0238a32e98dc4119475
Opcode Fuzzy Hash: df17dc7b5b7137540fb01ad39ae02476076e6da4ea5d964c4c34eb0cf50bd984
Instruction Fuzzy Hash: B231E435604305DFCB10EF28C485EAA77E0EF14B18F288059E91A8B392DB72EE41C770

Function 00D94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D94705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D94713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D9471A

Strings

msctls_updown32, xrefs: 00D94684

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5c682c762d645cf94ea806787810027230deb52b0b1cc7fbe36895919059b19c
Instruction ID: 271bb88483ecbc4e30576aae62f4b1e1807b7b286b3606bd4c67108c95ed9282
Opcode Fuzzy Hash: 5c682c762d645cf94ea806787810027230deb52b0b1cc7fbe36895919059b19c
Instruction Fuzzy Hash: 9E214FB5601209AFDB10DF64DC91DBA37ADEB5A3A4B040059F61097352DB30EC12CA70

Function 00D695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D6961D

Strings

#notrayicon, xrefs: 00D695B7
#OnAutoItStartRegister, xrefs: 00D695F3
#requireadmin, xrefs: 00D695D9

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9442152cc13870d5c9bc7b3d33075a5f4aa97276b5a7d444dd9e87433ad94434
Instruction ID: be452e26ab6a20f6d8f0fe4dde978678a27ece8eb3aaea274f4f4f1fdcd533bf
Opcode Fuzzy Hash: 9442152cc13870d5c9bc7b3d33075a5f4aa97276b5a7d444dd9e87433ad94434
Instruction Fuzzy Hash: A621267220466067C731AB24D822FB7B39CDFA1314F58402AF94A9B081EB71AD45C2B5

Function 00D937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D93840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D93850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D93876

Strings

Listbox, xrefs: 00D9380F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 844609610b7c3b60d5eed2199c5491cff13ca89a855a3a134a3aaf4a7215832d
Instruction ID: dd23b0d7ca786405a840dd1be3ab822fb4854af3f39a9fd7a4ae3dedde7b816f
Opcode Fuzzy Hash: 844609610b7c3b60d5eed2199c5491cff13ca89a855a3a134a3aaf4a7215832d
Instruction Fuzzy Hash: FA21A172610218BBEF219F94CC85FBB376EEF89754F148125F9059B190C671DC528BB0

Function 00D6223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D62258

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D6228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D622CA

Strings

@U=u, xrefs: 00D62258, 00D6228A, 00D622CA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 857bfad96ddd80ca86b45470cbd4932b73f0e7fc17be3f0ce029c16086318392
Instruction ID: 86c36edb3d491d68758b032fc0f602ff4371260c164c41ba616238009e866d75
Opcode Fuzzy Hash: 857bfad96ddd80ca86b45470cbd4932b73f0e7fc17be3f0ce029c16086318392
Instruction Fuzzy Hash: 4521C931700304AFDB109B549D8AFFE3BADEB59710F045025FA05EB291DB70C94587B2

Function 00D749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D74A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D74A5C
SetErrorMode.KERNEL32(00000000,?,?,00D9CC08), ref: 00D74AD0

Strings

%lu, xrefs: 00D74A6F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: efef19547b0ac237989ade865bc57b56fe541f21f0c558b5c29deb8ec8712228
Instruction ID: aed2a54f9a927bef034050f43f757fdc17df25bb84d0f4363885d5e0d92e9db5
Opcode Fuzzy Hash: efef19547b0ac237989ade865bc57b56fe541f21f0c558b5c29deb8ec8712228
Instruction Fuzzy Hash: E1310C75A00209AFDB11DF54C985EAABBF8EF08308F1480A9E909DB252D771ED45CB75

Function 00D61B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D61B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D61B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00D61B99

Strings

@U=u, xrefs: 00D61B99

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 32c7d443d4a62c504a050957a16c1090ffa55e2e2487cb83ca23675e611f2ad1
Instruction ID: 368f1b304124893008a766ed09208ac3c4193b01955b1d2f6e4ab7c704d98c9b
Opcode Fuzzy Hash: 32c7d443d4a62c504a050957a16c1090ffa55e2e2487cb83ca23675e611f2ad1
Instruction Fuzzy Hash: C1218E76600118BFDB15DBACD8419AEB7FAEF45340F18046AE105E32A0EB71AE40CBB4

Function 00D80CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00D80D24
SendMessageW.USER32(0000000C,00000000,?), ref: 00D80D65
SendMessageW.USER32(0000000C,00000000,?), ref: 00D80D8D

Strings

@U=u, xrefs: 00D80D24, 00D80D65, 00D80D8D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 447171dfb205b733d34e8352a1bc8871b088be7a0ec0cc386d52642240b0385e
Instruction ID: 4bfbcbd5112d798498d4582141be8c9836027a1b293571154047cc8c64270fe7
Opcode Fuzzy Hash: 447171dfb205b733d34e8352a1bc8871b088be7a0ec0cc386d52642240b0385e
Instruction Fuzzy Hash: 0A210876200600AFD710EB64DD85E6AB7E6FB09710B008556F919DBAB1C720FC50CBB0

Function 00D941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D9424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D94264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D94271

Strings

msctls_trackbar32, xrefs: 00D94226

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 676320cf1809be101175fefcea6c738124ebb4a15aaa285795506ebf3743226e
Instruction ID: 587dbcbea9b7fc36f17bb8241eb7a59d6e0dda45e8f88874dd4db42ef5a543d9
Opcode Fuzzy Hash: 676320cf1809be101175fefcea6c738124ebb4a15aaa285795506ebf3743226e
Instruction Fuzzy Hash: 94110632240308BEEF205F29CC06FAB3BACEF85B54F110524FA55E21A1D271DC529B34

Function 00D62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

Part of subcall function 00D62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D62DC5
Part of subcall function 00D62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D62DD6
Part of subcall function 00D62DA7: GetCurrentThreadId.KERNEL32 ref: 00D62DDD
Part of subcall function 00D62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D62DE4

GetFocus.USER32 ref: 00D62F78

Part of subcall function 00D62DEE: GetParent.USER32(00000000), ref: 00D62DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D62FC3
EnumChildWindows.USER32(?,00D6303B), ref: 00D62FEB

Strings

%s%d, xrefs: 00D62FFF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 49e1e3308396d88707a617686b822cc2cf94ee400ccbb0571221348c3a974ada
Instruction ID: 372d50757490ad53061ee48a4a88a3d9d36423e5112eb9dbb35e119f9e21b0fc
Opcode Fuzzy Hash: 49e1e3308396d88707a617686b822cc2cf94ee400ccbb0571221348c3a974ada
Instruction Fuzzy Hash: 6F117FB56002056BDF15BF64DC85FEE376AEF94304F045075B9099B292DE7099498B70

Function 00D93429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D934BA

Strings

edit, xrefs: 00D9348F
@U=u, xrefs: 00D934BA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: f766166d0c554df7b531c7151a8416a82aabb43b1bfe4eeddfb5658dcaf00f8b
Instruction ID: 7733a55416f3bcd0fcdeecfabfb78d5ee5af3fba97c560da4662d268f1c694d2
Opcode Fuzzy Hash: f766166d0c554df7b531c7151a8416a82aabb43b1bfe4eeddfb5658dcaf00f8b
Instruction Fuzzy Hash: D6118C71100208AFEF128F64DC44AAB37AAEB05778F554724F965D32E0C771EC619B70

Function 00D61CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D63CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D61D4C

Strings

ListBox, xrefs: 00D61D16
ComboBox, xrefs: 00D61CEB
@U=u, xrefs: 00D61D4C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: d25931fe4b9319a5cfb74ef406ff1f09a6086cd97a77425499b9117f57a77fc2
Instruction ID: d864100c14551b7b55c717f78087e354592da9655201608e6588c5036df1cea0
Opcode Fuzzy Hash: d25931fe4b9319a5cfb74ef406ff1f09a6086cd97a77425499b9117f57a77fc2
Instruction Fuzzy Hash: 6001D875641214ABCB04EBA4CC51EFEB768EB56350F080619F876973D2EA3059088B70

Function 00D61BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D63CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D61C46

Strings

ListBox, xrefs: 00D61C10
ComboBox, xrefs: 00D61BE5
@U=u, xrefs: 00D61C46

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 7c06a4b0d8b8bbd03644fe8870c3d111768af2652383dec5b60c2d280cf061b8
Instruction ID: 4935de6b6ee1ae03c9f75b68a650cb73a10da481a60fa7afe0cb98c8782fd6ab
Opcode Fuzzy Hash: 7c06a4b0d8b8bbd03644fe8870c3d111768af2652383dec5b60c2d280cf061b8
Instruction Fuzzy Hash: E801A7B5A811046BDB04EB90C962FFFB7A8DB11340F180019B516672C2EA209E2C96B1

Function 00D61C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

Part of subcall function 00D63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D63CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D61CC8

Strings

ListBox, xrefs: 00D61C94
ComboBox, xrefs: 00D61C69
@U=u, xrefs: 00D61CC8

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 7aa2db2978ab9d1725368e5f26d92459e6e28eb5653c2d842f48e3025f21fd89
Instruction ID: 851e295c3c91344ec84386e448a051a002e5accbff35d20f04326b88aca537a3
Opcode Fuzzy Hash: 7aa2db2978ab9d1725368e5f26d92459e6e28eb5653c2d842f48e3025f21fd89
Instruction Fuzzy Hash: B601D6B5A801586BDB04EBA1CA11FFFF7A8DB11340F190019B806B32C2EA209F1CD671

Function 00D95882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D958EE
DrawMenuBar.USER32(?), ref: 00D958FD

Strings

0, xrefs: 00D9588F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 35f7e87dd1fb9a10e1e2cf05f3d6fcf78e19269332ccfe534a74615bf01dd8d5
Instruction ID: ee0f0cdba6831a8af728a6e380ed5066ef3ddf6fbf16172a012dba238dba1c66
Opcode Fuzzy Hash: 35f7e87dd1fb9a10e1e2cf05f3d6fcf78e19269332ccfe534a74615bf01dd8d5
Instruction Fuzzy Hash: 94016D31500218EFDF629F21EC44BAEBBB4FB45760F1480AAF849D6251DB308A84DF31

Function 00D97803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00DD18B0,00D9A364,000000FC,?,00000000,00000000,?,?,?,00D576CF,?,?,?,?,?), ref: 00D97805
GetFocus.USER32 ref: 00D9780D

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

Part of subcall function 00D19944: GetWindowLongW.USER32(?,000000EB), ref: 00D19952

SendMessageW.USER32(013CE1B0,000000B0,000001BC,000001C0), ref: 00D9787A

Strings

@U=u, xrefs: 00D9787A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 51451ac550b4a084768954bd1589e8b227ddd92eddb77cf89b4cde05ffed4649
Instruction ID: 161a7a4b62b00c16b4042fb51e3616caedc929e04f96c108a3b45f1819608b9e
Opcode Fuzzy Hash: 51451ac550b4a084768954bd1589e8b227ddd92eddb77cf89b4cde05ffed4649
Instruction Fuzzy Hash: 310121356152109FD725DB28D868AF677E6EF8A320F18026AE425C73A1DB316C46CF70

Function 00D6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d69f16adb163dc12da31e8d83d9db72d32929143ebc300b16b4564b4511d1fd
Instruction ID: 18a0c9adb969aacc81eb2b973a57d66a2d8bc5ad1ac2764a3ad5c3dcdaf440c7
Opcode Fuzzy Hash: 8d69f16adb163dc12da31e8d83d9db72d32929143ebc300b16b4564b4511d1fd
Instruction Fuzzy Hash: 0BC13C75A00216EFDB14CFA8C894EAEBBB5FF48705F148598E505EB251D731ED41CBA0

Function 00D8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D83459
CoUninitialize.OLE32 ref: 00D83463
VariantInit.OLEAUT32(?), ref: 00D8346E
VariantClear.OLEAUT32(?), ref: 00D8371B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 06321ca8551354401f3830428806ea901d367a777cfd3df3ee904f2de776db1f
Instruction ID: d208957372efcff208907858e4d2f8a9dab5d3b3fbcb93283b5e11e2d20c19ad
Opcode Fuzzy Hash: 06321ca8551354401f3830428806ea901d367a777cfd3df3ee904f2de776db1f
Instruction Fuzzy Hash: ADA10B756043019FC710EF28C985A6AB7E5FF88714F048859F9899B3A2DB30EE45CB71

Function 00D60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D9FC08,?), ref: 00D605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D9FC08,?), ref: 00D60608
CLSIDFromProgID.OLE32(?,?,00000000,00D9CC40,000000FF,?,00000000,00000800,00000000,?,00D9FC08,?), ref: 00D6062D
_memcmp.LIBVCRUNTIME ref: 00D6064E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7d8e0a448f641eb5afef93e6d507d9c3037e3a501d6162aa5faba5bbf070a68f
Instruction ID: 7c8577978d2c349b455b4f37c76263821a22c3c827998bcfb96ebab813d4a064
Opcode Fuzzy Hash: 7d8e0a448f641eb5afef93e6d507d9c3037e3a501d6162aa5faba5bbf070a68f
Instruction Fuzzy Hash: DA81F975A00209EFCB04DFD4C984EEEBBB9FF89315F244558E516AB250DB71AE06CB60

Function 00D41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D414C0

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 32d07ed7be3b8250d4eccc64bb8c48839eddb93d46285ff7b3255764dd0a7cab
Instruction ID: 866867eddf9d7ba069127ff9412bba5b65c3376979f2fb16d93146ea088639a0
Opcode Fuzzy Hash: 32d07ed7be3b8250d4eccc64bb8c48839eddb93d46285ff7b3255764dd0a7cab
Instruction Fuzzy Hash: FA416D39A00220ABDB217BFCAC45ABE3AB5EF52370F284635F41DE6192E77488C15671

Function 00D81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D81AFD
WSAGetLastError.WSOCK32 ref: 00D81B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D81B8A
WSAGetLastError.WSOCK32 ref: 00D81B94

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 1bd2d4b827053de59654183e9884e7f4ccb4f590f4f798e32c0f3a5d652e2b7c
Instruction ID: 0bbf75fb72736cd9c855308f219ff283c03b912f60cb43501ffa40ea75ceacb1
Opcode Fuzzy Hash: 1bd2d4b827053de59654183e9884e7f4ccb4f590f4f798e32c0f3a5d652e2b7c
Instruction Fuzzy Hash: 3A4191786002006FE720AF24D886F6977E5EB45718F548458F95A9F3D2D772ED82CBB0

Function 00D3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1d2a6c5da24b4d62ae6595186cd1bbe68bad13013b39c94bfa5df9dc4cf150
Instruction ID: a3ca633a41b10a340771494903eb97bf32e7cfabcbe2a94c33479fe25514c76e
Opcode Fuzzy Hash: cf1d2a6c5da24b4d62ae6595186cd1bbe68bad13013b39c94bfa5df9dc4cf150
Instruction Fuzzy Hash: 54410676A00714AFD7249F38CC41B6ABBE9EF88724F10453BF241DB282D771994187B4

Function 00D756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D75783
GetLastError.KERNEL32(?,00000000), ref: 00D757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D757FA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4ba76c7faf268868e209408a4f176aabf6c31d89b0be14c1a82128469fe1c126
Instruction ID: 18638f69014b9f87f776a7730c720238c4178aaefd60cc4075ee470a3f611c8c
Opcode Fuzzy Hash: 4ba76c7faf268868e209408a4f176aabf6c31d89b0be14c1a82128469fe1c126
Instruction Fuzzy Hash: D041E935600610DFCB11EF15C544A59BBE1EF89320B19C488E84E9B3A2DB74FD408BB2

Function 00D3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00D26D71,00000000,00000000,00D282D9,?,00D282D9,?,00000001,00D26D71,8BE85006,00000001,00D282D9,00D282D9), ref: 00D3D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D3D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D3D9AB
__freea.LIBCMT ref: 00D3D9B4

Part of subcall function 00D33820: RtlAllocateHeap.NTDLL(00000000,?,00DD1444,?,00D1FDF5,?,?,00D0A976,00000010,00DD1440,00D013FC,?,00D013C6,?,00D01129), ref: 00D33852

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 19e79bb9fc41a744bf0a285698fe100baf50df75a2ad3859ab7b3596d83f3ad6
Instruction ID: 4d6a7575c0f226a33d0ca57b67d3a31e3e318bd638dde3a770177289941c48e2
Opcode Fuzzy Hash: 19e79bb9fc41a744bf0a285698fe100baf50df75a2ad3859ab7b3596d83f3ad6
Instruction Fuzzy Hash: 2F31AB72A0021AABDB259F64EC41EAE7BA6EB40310F094269FC04E7251EB75DD50CFB0

Function 00D6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00D6ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D6AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D6AC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00D6ACC6

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 65578264569863b92a660e3d3e8d04670708430a0c7730bfdd0ee665dc8f8eda
Instruction ID: ce305e9bd1668d43eda89ba3e3f7c10378dfe9f96902267cc1205d6806b8329d
Opcode Fuzzy Hash: 65578264569863b92a660e3d3e8d04670708430a0c7730bfdd0ee665dc8f8eda
Instruction Fuzzy Hash: 6B310734A407186FEF35CB6D8C147FABBA5AB89310F09431AE4C5A22D1C375D9859B72

Function 00D97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D9769A
GetWindowRect.USER32(?,?), ref: 00D97710
PtInRect.USER32(?,?,00D98B89), ref: 00D97720
MessageBeep.USER32(00000000), ref: 00D9778C

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 554afca677a72d105f90ee682bd0cd441636029b06509a4792e87c4c0754dba3
Instruction ID: d2d72a1b190257ae4b65a01c32224395c184df6b24814363ff0db5faa8102d4c
Opcode Fuzzy Hash: 554afca677a72d105f90ee682bd0cd441636029b06509a4792e87c4c0754dba3
Instruction Fuzzy Hash: 32413638A19214EFCF11CF98C894EA9B7B5FB49314F1941A9E824DB361C730A942CFB0

Function 00D916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D916EB

Part of subcall function 00D63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D63A57
Part of subcall function 00D63A3D: GetCurrentThreadId.KERNEL32 ref: 00D63A5E
Part of subcall function 00D63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D625B3), ref: 00D63A65

GetCaretPos.USER32(?), ref: 00D916FF
ClientToScreen.USER32(00000000,?), ref: 00D9174C
GetForegroundWindow.USER32 ref: 00D91752

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1d5b7ad6e82a09c1f40fb4452ee97b69347cfbe6a3e6616909885b43dadbfd1b
Instruction ID: e7a9dd7158118e5a8050143fc2ae3dfcc092e524e073584031e08e4932b3c5ec
Opcode Fuzzy Hash: 1d5b7ad6e82a09c1f40fb4452ee97b69347cfbe6a3e6616909885b43dadbfd1b
Instruction Fuzzy Hash: DA314375D00249AFDB04EFA5C881DAEBBF9EF48304B54806AE415E7251D731DE45CBB1

Function 00D6D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D6D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D6D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D6D52F
CloseHandle.KERNEL32(00000000), ref: 00D6D5DC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e0d30be71aa15ba71a8ea99fd2700f215a31e2a2b46717a143e2048bd45d958a
Instruction ID: 409fdf01294d8eba43c1b9a71b752284a04ac965c95f6857e0444c053c48a81d
Opcode Fuzzy Hash: e0d30be71aa15ba71a8ea99fd2700f215a31e2a2b46717a143e2048bd45d958a
Instruction Fuzzy Hash: 4931A4716083009FD300EF54D891BAFBBF8EF99354F54052DF586962A2EB719948CBB2

Function 00D98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

GetCursorPos.USER32(?), ref: 00D99001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D57711,?,?,?,?,?), ref: 00D99016
GetCursorPos.USER32(?), ref: 00D9905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D57711,?,?,?), ref: 00D99094

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b401c5810af696eda52f77b7389e4f1cb64a62506bd993272eec5faf54208749
Instruction ID: a683d0156cf94862648065ff3880963ae0c2cb2a240503fc9829f0b06be20dcc
Opcode Fuzzy Hash: b401c5810af696eda52f77b7389e4f1cb64a62506bd993272eec5faf54208749
Instruction Fuzzy Hash: 18219F35600118FFCF258F99C868EEABBB9EB49350F04405AF91987261C73299A0DB70

Function 00D6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D9CB68), ref: 00D6D2FB
GetLastError.KERNEL32 ref: 00D6D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D6D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D9CB68), ref: 00D6D376

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: bd1a30eadb7f17a0f7dce82e73f68d98e67bfbcc192bb313f187ac81511fc0f9
Instruction ID: 99d918ad2ce47b02fc3c3b21660ed182f483c854d8fe2121b7957eead9bff6f2
Opcode Fuzzy Hash: bd1a30eadb7f17a0f7dce82e73f68d98e67bfbcc192bb313f187ac81511fc0f9
Instruction Fuzzy Hash: A4217C70A083019F8710DF28D88196AB7E8EE5A324F544A1AF499C73A1E730D949CBB3

Function 00D61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D6102A
Part of subcall function 00D61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D61036
Part of subcall function 00D61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D61045
Part of subcall function 00D61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D6104C
Part of subcall function 00D61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D61062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D615BE
_memcmp.LIBVCRUNTIME ref: 00D615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D61617
HeapFree.KERNEL32(00000000), ref: 00D6161E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 25ea7723efb43d06ce04de04e5f520ce17baa2f26d4231730f82dd1ae0df59f4
Instruction ID: 6708dab2370ce8393be18857e35b9c6b9e5bee6875e361a425599d8c5458d725
Opcode Fuzzy Hash: 25ea7723efb43d06ce04de04e5f520ce17baa2f26d4231730f82dd1ae0df59f4
Instruction Fuzzy Hash: D2214875E00209AFDF10DFA8C945BEEB7B8EF54354F1C8459E445AB241E770AA05CBB0

Function 00D92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D9280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D92824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D92832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D92840

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 692337bc4fc0da92c5dae38e685ce6edce96375ad0706b2a91f7638ad5dc3192
Instruction ID: ac10e696e62c0660e67f1569bbe7c2ca5b3e0adf1e093c72fbee4c9095415a09
Opcode Fuzzy Hash: 692337bc4fc0da92c5dae38e685ce6edce96375ad0706b2a91f7638ad5dc3192
Instruction Fuzzy Hash: AB218131205511BFDB149B24C845FBA7B95EF45324F158259E41A8B6E2C771EC42C7B0

Function 00D678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D6790A,?,000000FF,?,00D68754,00000000,?,0000001C,?,?), ref: 00D68D8C
Part of subcall function 00D68D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00D68DB2
Part of subcall function 00D68D7D: lstrcmpiW.KERNEL32(00000000,?,00D6790A,?,000000FF,?,00D68754,00000000,?,0000001C,?,?), ref: 00D68DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D68754,00000000,?,0000001C,?,?,00000000), ref: 00D67923
lstrcpyW.KERNEL32(00000000,?), ref: 00D67949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D68754,00000000,?,0000001C,?,?,00000000), ref: 00D67984

Strings

cdecl, xrefs: 00D6797B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4feea1802f4a96632c29d4bc2d5018901b1df8c9e9da4d62e3acf5de43b7a861
Instruction ID: eb981902a847c46f153d7822960c4c0fdf8f4a72bc3767355d04ddfa1ed9b1ca
Opcode Fuzzy Hash: 4feea1802f4a96632c29d4bc2d5018901b1df8c9e9da4d62e3acf5de43b7a861
Instruction Fuzzy Hash: 5F11EE3A200306AFCB159F38D844E7A77E9FF85394B44402BF842CB2A4EB319801DBB1

Function 00D97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D97D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D97D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D97D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D7B7AD,00000000), ref: 00D97D6B

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fb7be111da6255b45259ed745af241fa6f090402aad53f3bb44d30401e7c4e7e
Instruction ID: 16455042b7e3683f9a38c0a7c882cc13b2c4c825b55faf91efb9a87034bcfb40
Opcode Fuzzy Hash: fb7be111da6255b45259ed745af241fa6f090402aad53f3bb44d30401e7c4e7e
Instruction Fuzzy Hash: 08115875625615ABCF109F68DC04AA63BA5AF45360F194725F839C72E0D7309951CB60

Function 00D61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D61A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D61A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D61A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D61A8A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c4e0fc172a0c7f960121043b8301114a015b95b1cf998081c36252e1de6eccc1
Instruction ID: e09cc38704f25e7600eb6699e2b73de2766fd2528c88c2cb9ea564583ba1001b
Opcode Fuzzy Hash: c4e0fc172a0c7f960121043b8301114a015b95b1cf998081c36252e1de6eccc1
Instruction Fuzzy Hash: 21113C3AD01219FFEB10DBE4CD85FADBB78EB04750F240491E604B7290D6716E51DBA4

Function 00D6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D6E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D6E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D6E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D6E24D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 70da577c33dc9093d8e1111d438a24c5da665eacf105d359941bb12ddd89ffd2
Instruction ID: 0b48354206dd45aff87e731c11634a27464270edf47e17c367811b187f339168
Opcode Fuzzy Hash: 70da577c33dc9093d8e1111d438a24c5da665eacf105d359941bb12ddd89ffd2
Instruction Fuzzy Hash: F711C47A904354BFC7019BA8EC09A9E7FADEB45324F044256F924E3391D6B0CA0487B4

Function 00D2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00D2CFF9,00000000,00000004,00000000), ref: 00D2D218
GetLastError.KERNEL32 ref: 00D2D224
__dosmaperr.LIBCMT ref: 00D2D22B
ResumeThread.KERNEL32(00000000), ref: 00D2D249

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4df4cebad2dabbb1a9eb6c07769402f133eaebf9f55c860494bde9e741604f29
Instruction ID: d4ac24432d99b09004f14f51602b9349af7053746ad56b81fec298b22bbc324a
Opcode Fuzzy Hash: 4df4cebad2dabbb1a9eb6c07769402f133eaebf9f55c860494bde9e741604f29
Instruction Fuzzy Hash: 1501D636815224BBDB115BA5EC09BAE7A6ADFA2338F140219F925D61D0CB71C901C6B0

Function 00D23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00D23B56

Part of subcall function 00D23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D23AD2
Part of subcall function 00D23AA3: ___AdjustPointer.LIBCMT ref: 00D23AED

_UnwindNestedFrames.LIBCMT ref: 00D23B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D23B7C
CallCatchBlock.LIBVCRUNTIME ref: 00D23BA4

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 61332d4e837bc093ae72d6ff326458502ea9d48cf0abd8a7aa6e60993e96ff14
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B2012932100158BBDF126E95EC42EEB7F6AEFA8758F044014FE4856121C736E961DBB0

Function 00D33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D013C6,00000000,00000000,?,00D3301A,00D013C6,00000000,00000000,00000000,?,00D3328B,00000006,FlsSetValue), ref: 00D330A5
GetLastError.KERNEL32(?,00D3301A,00D013C6,00000000,00000000,00000000,?,00D3328B,00000006,FlsSetValue,00DA2290,FlsSetValue,00000000,00000364,?,00D32E46), ref: 00D330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D3301A,00D013C6,00000000,00000000,00000000,?,00D3328B,00000006,FlsSetValue,00DA2290,FlsSetValue,00000000), ref: 00D330BF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d5b18895f6908fd6f2ef50f250544087181ec58512bd9adcf53e31d95a2eaf7b
Instruction ID: 4b0fd7d7a4837c3b03bb81ff4484c7b6df92c971868a373436a2aef2bbe1b19b
Opcode Fuzzy Hash: d5b18895f6908fd6f2ef50f250544087181ec58512bd9adcf53e31d95a2eaf7b
Instruction Fuzzy Hash: F8012B32352722ABCB354F78AD84A577B98AF45BB1F280621F945E7290C721D901C7F0

Function 00D67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D6747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D67497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D674CA

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: de9b9ce000c621a15779ad9699c3f01799eeb0fc7b407b016324f4fdf62954db
Instruction ID: 3ef673c97d1fc2867d71291f8f631847bb1e387859b10a3f07789196ef52aaa1
Opcode Fuzzy Hash: de9b9ce000c621a15779ad9699c3f01799eeb0fc7b407b016324f4fdf62954db
Instruction Fuzzy Hash: 34116DB5205319ABE7208F54DD0DB927BFCEB40B08F10856AA656D6191DBB4F904DBB0

Function 00D6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D6ACD3,?,00008000), ref: 00D6B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D6ACD3,?,00008000), ref: 00D6B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D6ACD3,?,00008000), ref: 00D6B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D6ACD3,?,00008000), ref: 00D6B126

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cc9aaa072a26c3c60fb0e6d805c7ebdda3c97b1453804cc1f504350c59581f05
Instruction ID: 3e7fa4f89969ce5ebc07c7047d57f7e8878cfbb1f69cdcc8fba1b5c94908067f
Opcode Fuzzy Hash: cc9aaa072a26c3c60fb0e6d805c7ebdda3c97b1453804cc1f504350c59581f05
Instruction Fuzzy Hash: CB112A31D01719E7CF00DFA4E958AEEBB78FB0A721F104086D941F2245CB3495908B75

Function 00D62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D62DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D62DD6
GetCurrentThreadId.KERNEL32 ref: 00D62DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D62DE4

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 18d5623bce5676266ab3298faa5f294279e493b0711b8fb7c560058c2696beab
Instruction ID: 3bebceb779ad309e47df40c7873fa95fa9a0e68b29214a93a35ac856df5becef
Opcode Fuzzy Hash: 18d5623bce5676266ab3298faa5f294279e493b0711b8fb7c560058c2696beab
Instruction Fuzzy Hash: AAE092712117247BDB201B729C0DFFB3E6CEF42BA1F441416F105D21A0DAA5C840CAF0

Function 00D98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D19693
Part of subcall function 00D19639: SelectObject.GDI32(?,00000000), ref: 00D196A2
Part of subcall function 00D19639: BeginPath.GDI32(?), ref: 00D196B9
Part of subcall function 00D19639: SelectObject.GDI32(?,00000000), ref: 00D196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D98887
LineTo.GDI32(?,?,?), ref: 00D98894
EndPath.GDI32(?), ref: 00D988A4
StrokePath.GDI32(?), ref: 00D988B2

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 514fb4c7913d93846a4741566b759e32f6c7f23db8608eb5b6509f95b069059b
Instruction ID: e962c6b204d32df3ce60aa3c9829346d20996db06d7e0ef1e840a7d318447e59
Opcode Fuzzy Hash: 514fb4c7913d93846a4741566b759e32f6c7f23db8608eb5b6509f95b069059b
Instruction Fuzzy Hash: 7CF05E36042358FADB126F94AC19FCE3F59AF06710F048002FA15A62E1C7755551DFF9

Function 00D198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D198CC
SetTextColor.GDI32(?,?), ref: 00D198D6
SetBkMode.GDI32(?,00000001), ref: 00D198E9
GetStockObject.GDI32(00000005), ref: 00D198F1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b226a020b5000a098971cebe9673436232d35c034826c14382dfdaebde60e6a5
Instruction ID: 8d93e51832758b13230191fe3e708719733f6567661f3cbf4e477abe01f45e3e
Opcode Fuzzy Hash: b226a020b5000a098971cebe9673436232d35c034826c14382dfdaebde60e6a5
Instruction Fuzzy Hash: 72E06D31254780ABDF215B74FC19BE83F20AB12336F18921AFAFAA81E1C77146449B30

Function 00D6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D61634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D611D9), ref: 00D6163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D611D9), ref: 00D61648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D611D9), ref: 00D6164F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4fd265e1fb2efa3285ee8df5c8351ef7eb1c240bfed871faaf7d89488f192d36
Instruction ID: 4f3bc1b0dbdb1c3403e6c9de05bf1380934492b7e14a101acca403082b2bedc7
Opcode Fuzzy Hash: 4fd265e1fb2efa3285ee8df5c8351ef7eb1c240bfed871faaf7d89488f192d36
Instruction Fuzzy Hash: 10E08C3A612311EBDB301FE0AE0EB863B7CAF44792F18880AF249C9080E6348440CB74

Function 00D5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D5D858
GetDC.USER32(00000000), ref: 00D5D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D5D882
ReleaseDC.USER32(?), ref: 00D5D8A3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 50fa8e796d1c9b2881104a4e172837824030495601ade8b0594b242a8997cc06
Instruction ID: 829fb809135761e49084139044cf6ce924c6cedf5a338a8f2a4e4bf169b7f89d
Opcode Fuzzy Hash: 50fa8e796d1c9b2881104a4e172837824030495601ade8b0594b242a8997cc06
Instruction Fuzzy Hash: 89E0E5B1810305EFCF419FA0980866DBBB2EB08311F14A00AE84AE7360CB399941AF70

Function 00D5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D5D86C
GetDC.USER32(00000000), ref: 00D5D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D5D882
ReleaseDC.USER32(?), ref: 00D5D8A3

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fed744f45f77e94d6191f00c157ce20d6ead46846508961bf156453484639d05
Instruction ID: 04279eec962d2090bae7f6f3a329e6b22ab26e6395e5b798acf7aeab650e1a83
Opcode Fuzzy Hash: fed744f45f77e94d6191f00c157ce20d6ead46846508961bf156453484639d05
Instruction Fuzzy Hash: 18E09AB5810305EFCF519FA0D80866DBBB5FB48311F14A54AF94AE7360DB3999419F60

Function 00D74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07620: _wcslen.LIBCMT ref: 00D07625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D74ED4

Strings

LPT, xrefs: 00D74DFB
*, xrefs: 00D74E10

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: fae2fc0932eb4beda265c868477020516fc1400bc7dd4b97c301dd150c6af28c
Instruction ID: c8acbe148bad25a64244bd14d751b7e75815be3e98ba52eca722e8aa822996d4
Opcode Fuzzy Hash: fae2fc0932eb4beda265c868477020516fc1400bc7dd4b97c301dd150c6af28c
Instruction Fuzzy Hash: BD915E75A002049FCB15DF58C484EAABBF1EF44314F19C099E84A9F3A2D731ED85CBA1

Function 00D2E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D2E30D

Strings

pow, xrefs: 00D2E2E5, 00D2E302

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0226a0231f731587d87cce6109c2c0ce902ccec08e98e27745f830fd901cd9c7
Instruction ID: 8c344d7998669419c792ac1b87ecf420b09d0c7366ffb06a309df51e03cec0de
Opcode Fuzzy Hash: 0226a0231f731587d87cce6109c2c0ce902ccec08e98e27745f830fd901cd9c7
Instruction Fuzzy Hash: 73518FB1A0C602D6CB31B718ED013793B94EF50746F384958F0D6823E9DB34CC819AB6

Function 00D1E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00D1E1B1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 264f9017d78fe694d240146059cd45b88b87b5ceb6c5de6ed0bbc20c9d1c2102
Instruction ID: d391442217d752be53b10092403921f55b9a3bec8a0e9b490ae629d1985db646
Opcode Fuzzy Hash: 264f9017d78fe694d240146059cd45b88b87b5ceb6c5de6ed0bbc20c9d1c2102
Instruction Fuzzy Hash: 5D511435900256EFDF19EF28D051AFA7BA8EF59311F284055EC919B2D0DA309E86C7B0

Function 00D1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D1F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D1F2BB

Strings

@, xrefs: 00D1F2AF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8b6ed4e6edb56b111f338d99a25b4920c4f0fda9a37fcf67b5c9d3e271f0f201
Instruction ID: 8c3d3547fb7c264f7552bffca45492523e406cbbcec01dcbe20247ae1daf7804
Opcode Fuzzy Hash: 8b6ed4e6edb56b111f338d99a25b4920c4f0fda9a37fcf67b5c9d3e271f0f201
Instruction Fuzzy Hash: 0C5123728187459BD320AF10D886BABBBF8FF84300F81895DF199811A5EB709529CB77

Function 00D62999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D629EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00D62A8D

Part of subcall function 00D62C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00D62CE0

Strings

@U=u, xrefs: 00D629EB, 00D62A8D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 4a02e6a827fee0bd3cda14f71d135d3cfdbd7fc7fa94b553e7be13d939316fd4
Instruction ID: 600204b0c3cfbd99887eb91959a41413823b0c4e62e83415a17c52722e69f09f
Opcode Fuzzy Hash: 4a02e6a827fee0bd3cda14f71d135d3cfdbd7fc7fa94b553e7be13d939316fd4
Instruction Fuzzy Hash: 43416071A00608ABDF25DF94C846BFE7BB9EF44754F084029F909A32D1DB709A44CBB2

Function 00D85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D857E0
_wcslen.LIBCMT ref: 00D857EC

Strings

CALLARGARRAY, xrefs: 00D857E6, 00D857EB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 1386e71e2a1c6750001277d1a5049052ba537465ec0e362cc68cc8f2a5bdefe3
Instruction ID: 4383b74d7c980a6f62191e2f7b5fab159e146e3b91bfc124d79b604b9f796956
Opcode Fuzzy Hash: 1386e71e2a1c6750001277d1a5049052ba537465ec0e362cc68cc8f2a5bdefe3
Instruction Fuzzy Hash: 7E418071E002099FCB14EFA9D8819AEBBB5EF59324F14406AE505A7295EB709D81CBB0

Function 00D7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D7D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D7D13A

Strings

|, xrefs: 00D7D10B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9829fbf038c63dc4629349489488bee99079e75e8ea87056fc9b613b181f8809
Instruction ID: ca2d3deeb41468dccaa8afb4ae39792531e8f6085e4a0333dbc4b3db072045d5
Opcode Fuzzy Hash: 9829fbf038c63dc4629349489488bee99079e75e8ea87056fc9b613b181f8809
Instruction Fuzzy Hash: 03313E71D00219ABCF15EFA4CC85AEE7FBAFF04300F404019F819A6166E771A956CB70

Function 00D9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D93621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D9365C

Strings

static, xrefs: 00D935BC

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 41e6649956dd62b770da27dbe4f4aa28f68abef4fe3a2e744e307b16e6be2b33
Instruction ID: 7f64051a390109b444e021171df4accb37b6cb2d093d4775cfbc40a8c4089d8f
Opcode Fuzzy Hash: 41e6649956dd62b770da27dbe4f4aa28f68abef4fe3a2e744e307b16e6be2b33
Instruction Fuzzy Hash: 02318A71110204AADB10DF68DC80AFB73A9FF88764F00961AF9A9D7290DA31AD91D770

Function 00D94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D9461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D94634

Strings

', xrefs: 00D9458E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c381f53f5674e20af280db836b4a05641dce69e485ccccd20feb66058d29e47c
Instruction ID: 44a474eebef2fd6f0340766a3446acba144c0ba6f3cbaf13df37d75a726ae79c
Opcode Fuzzy Hash: c381f53f5674e20af280db836b4a05641dce69e485ccccd20feb66058d29e47c
Instruction Fuzzy Hash: 553117B4A013099FDF54CFA9C990BDA7BB5FF09300F15416AE905AB392D770A942CFA0

Function 00D03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D433A2

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D03A04

Strings

Line: , xrefs: 00D433EB

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: fe432551f722847f4ad5b3ec591415cd19b905aa60d8690c2b0c183700fca89a
Instruction ID: 0dfbbddaa124773e2fb70e9c7291c29341f66a0b27b88b752543f488699731b1
Opcode Fuzzy Hash: fe432551f722847f4ad5b3ec591415cd19b905aa60d8690c2b0c183700fca89a
Instruction Fuzzy Hash: 75318F71509300ABD725EB24E845BEAB7DCEB40714F04452AF59D921D1EB70A649CBF2

Function 00D6286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D62884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D628B6

Strings

@U=u, xrefs: 00D62884, 00D628B6

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 1e2a8f6f87c8df1ceea95875f8e0f4cbe05394dbde26b0fc61987c34bce07621
Instruction ID: 14ce1fa14c52a28c9123a315258b16a07ea12c58a4e78fc58e70aba780187b25
Opcode Fuzzy Hash: 1e2a8f6f87c8df1ceea95875f8e0f4cbe05394dbde26b0fc61987c34bce07621
Instruction Fuzzy Hash: 3321D672E00614ABCB15EF949881DBEB7B9EFC8710F14412AF919A7290EA749D41CBB0

Function 00D63BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D63D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D63D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D63C23
_strlen.LIBCMT ref: 00D63C2E

Strings

@U=u, xrefs: 00D63C23

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 6155da7a76bcb1b2a95505f395fb6c93c121f0e40d7e1c97312f766b6ecd7ea1
Instruction ID: 82becbebcdfa3209b85dafbfbbf6dddb0d06dcee1ecc0378b3f19c1c9b2fb34f
Opcode Fuzzy Hash: 6155da7a76bcb1b2a95505f395fb6c93c121f0e40d7e1c97312f766b6ecd7ea1
Instruction Fuzzy Hash: 2E11B4327041152BCB28AE7C98929BE7764CF55B40F15002DF906AB2D2DE21DE4287F4

Function 00D9336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D6ED19: GetLocalTime.KERNEL32 ref: 00D6ED2A
Part of subcall function 00D6ED19: _wcslen.LIBCMT ref: 00D6ED3B
Part of subcall function 00D6ED19: _wcslen.LIBCMT ref: 00D6ED79
Part of subcall function 00D6ED19: _wcslen.LIBCMT ref: 00D6EDAF
Part of subcall function 00D6ED19: _wcslen.LIBCMT ref: 00D6EDDF
Part of subcall function 00D6ED19: _wcslen.LIBCMT ref: 00D6EDEF
Part of subcall function 00D6ED19: _wcslen.LIBCMT ref: 00D6EE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 00D9340A

Strings

@U=u, xrefs: 00D9340A
SysDateTimePick32, xrefs: 00D933C7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: dd555be6555317e8b823eaf3596120239974bc4fe0242d9cd1599901d2703596
Instruction ID: 36efa1e9fe18179fd8ab3484c33b319a810e6a79529783b2df3b3cc67cf6e02f
Opcode Fuzzy Hash: dd555be6555317e8b823eaf3596120239974bc4fe0242d9cd1599901d2703596
Instruction Fuzzy Hash: 6021B1323902096BEF229E54DC82FEE73AAEB44754F244519F940EB1D0DAB1EC5097B0

Function 00D6215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D62178

Part of subcall function 00D6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D6B355
Part of subcall function 00D6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D62194,00000034,?,?,00001004,00000000,00000000), ref: 00D6B365
Part of subcall function 00D6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D62194,00000034,?,?,00001004,00000000,00000000), ref: 00D6B37B

Part of subcall function 00D6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D621D0,?,?,00000034,00000800,?,00000034), ref: 00D6B42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 00D621DF

Part of subcall function 00D6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D6B3F8

Strings

@U=u, xrefs: 00D62178, 00D621DF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 1490b22df66b06d5337f2193a1aa907e280641e8a2d052fbccbd10529b0c7a93
Instruction ID: a8e63bf1e629e703a6edb6025c0237214981bf495341179449667539a9bd3620
Opcode Fuzzy Hash: 1490b22df66b06d5337f2193a1aa907e280641e8a2d052fbccbd10529b0c7a93
Instruction Fuzzy Hash: 68213E31901228ABEF15DBA8DC41FEDBBB8FF19354F100196E558E6190EA715A84CB74

Function 00D931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D9327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D93287

Strings

Combobox, xrefs: 00D93249

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 24f743e897063e75a7957669929d75e625936a92a7171f41ab8fef3ca54fb7ab
Instruction ID: e10c66bc8d6a5738537f91551938c3bd80f21a5947c2ec4b794f960398ee3b23
Opcode Fuzzy Hash: 24f743e897063e75a7957669929d75e625936a92a7171f41ab8fef3ca54fb7ab
Instruction Fuzzy Hash: E911B2713002097FFF259F94DC80EBB376AEB94364F144129F918A7290D631DD519770

Function 00D93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D0604C
Part of subcall function 00D0600E: GetStockObject.GDI32(00000011), ref: 00D06060
Part of subcall function 00D0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D0606A

GetWindowRect.USER32(00000000,?), ref: 00D9377A
GetSysColor.USER32(00000012), ref: 00D93794

Strings

static, xrefs: 00D93757

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 073a045e3a7d865c7a788a207ab3897c7552cc23ae4932af865e9afb52a8bea6
Instruction ID: 23a714dbac09641152109a28cf09b7274778b7aa4fd35b92a9a16c3e50fae8f2
Opcode Fuzzy Hash: 073a045e3a7d865c7a788a207ab3897c7552cc23ae4932af865e9afb52a8bea6
Instruction Fuzzy Hash: 601137B2610209AFDF00DFA8CC46EEA7BB8FB08314F005915F955E3250E775E8619B60

Function 00D96181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D961FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00D96225

Strings

@U=u, xrefs: 00D961FC, 00D96225

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 70616d2f18a1f242d803762c9787e3d8df8758680b7297b9374ad14b24a5cd0e
Instruction ID: 9ed6e8333a2699f8740745571964ee63c590e547c2e6715cc2ca5b43e8ef135f
Opcode Fuzzy Hash: 70616d2f18a1f242d803762c9787e3d8df8758680b7297b9374ad14b24a5cd0e
Instruction Fuzzy Hash: 8D11C132140214BEEF148F68CC19FBA3BA4EB0A710F444115FA16EE1E1D2B0DA00EB78

Function 00D7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D7CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D7CDA6

Strings

<local>, xrefs: 00D7CD66

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cdb1dc623419c1eed90d158dd8af037bce152b713a4ebd49d877cfc04ef02bea
Instruction ID: 370d460ab3204c386dc855d6f254f620cf7a6adb9a2e4d91dc10154725ec039e
Opcode Fuzzy Hash: cdb1dc623419c1eed90d158dd8af037bce152b713a4ebd49d877cfc04ef02bea
Instruction Fuzzy Hash: 7911C671225631BED7344B668C45FE7BEACEF127A4F00922EB14D83180E7749841D6F0

Function 00D94F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00D94FCC

Strings

@U=u, xrefs: 00D94FCC, 00D95008

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 78160a708e78360f17358ca2dd1182cbe7d264bedd27d263fab7c76a4845fc16
Instruction ID: f537d8bfa35a97301ad07649e28150ae19d7e0c3df15af6ba1df8d414d0de6b1
Opcode Fuzzy Hash: 78160a708e78360f17358ca2dd1182cbe7d264bedd27d263fab7c76a4845fc16
Instruction Fuzzy Hash: E121D37AA1021AEFCF15CFA8D950CEA7BB5FF4D340B104155F905A7324D631E921DBA0

Function 00D930D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00D93147

Strings

button, xrefs: 00D9311E
@U=u, xrefs: 00D93147

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 0031c8996d585a25a3a2935a181b546f37ecb7e742614f5bd76164b2eb705ee8
Instruction ID: 7bbd26a4f3580cc15646f3273ebbb3403bbbce41637553c8fadadc47ae39ae6b
Opcode Fuzzy Hash: 0031c8996d585a25a3a2935a181b546f37ecb7e742614f5bd76164b2eb705ee8
Instruction Fuzzy Hash: 0C11AD32250309BBDF118FA4DC41FEB3BAAEB08754F140114FA54A72A0C776E861AB70

Function 00D66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00D09CB3: _wcslen.LIBCMT ref: 00D09CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D66CB6
_wcslen.LIBCMT ref: 00D66CC2

Strings

STOP, xrefs: 00D66CBC, 00D66CC1

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d97785c9151153546d273bcd2c6ce92aa558983fdcb48ea269a0ce6d9b19daf3
Instruction ID: 9fdc0d38a83e3023298400057e19b5188d99270707de24206ac41fe858dff572
Opcode Fuzzy Hash: d97785c9151153546d273bcd2c6ce92aa558983fdcb48ea269a0ce6d9b19daf3
Instruction Fuzzy Hash: 0701D232A109278BCB20AFBDDC909BF7BB5EF61710B150528E862972D5EB31D940CA70

Function 00D623DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D621D0,?,?,00000034,00000800,?,00000034), ref: 00D6B42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D6243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D6245E

Strings

@U=u, xrefs: 00D6243B, 00D6245E

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: b8b94e377f967a65f70c5a216120a68d50f9b1fda85da6050c3c946b38c23c95
Instruction ID: d0e57003e306b6a5f1ff85498f005c79964f48517b8cb350c1c9d5cde6272fba
Opcode Fuzzy Hash: b8b94e377f967a65f70c5a216120a68d50f9b1fda85da6050c3c946b38c23c95
Instruction Fuzzy Hash: A501B932900218ABEB11AF64DC46FFEBB79DB14320F104167F565A61D1DBB06D55CB70

Function 00D94366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D943AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00D94408

Strings

@U=u, xrefs: 00D943AF

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 3d491a48c3acf8ff10a8a5cec2bbc6c285a199912174337e38eaf5c93e23787e
Instruction ID: f0cc82925d947020958e92658472d3d766445cdeb873a954ad1edfab66bb8575
Opcode Fuzzy Hash: 3d491a48c3acf8ff10a8a5cec2bbc6c285a199912174337e38eaf5c93e23787e
Instruction Fuzzy Hash: 9311BF30500744AFEB21CF34C891BE7BBE4BF05310F14851DE8AB97292D771A942DB60

Function 00D6250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00D62531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00D62564

Part of subcall function 00D6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D6B3F8

Part of subcall function 00D06B57: _wcslen.LIBCMT ref: 00D06B6A

Strings

@U=u, xrefs: 00D62531, 00D62564

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 48f74cfd49bf332897a2f7f108bd69b0f22ed2deb47acee0cbbd5828a5d9a27c
Instruction ID: f8ae6c5cff43d76725473bb35a07ddbc107d55577af72b637bbf7c4f7310b694
Opcode Fuzzy Hash: 48f74cfd49bf332897a2f7f108bd69b0f22ed2deb47acee0cbbd5828a5d9a27c
Instruction Fuzzy Hash: 08011E71900128AFDB50AF54DC91EE97768EB14344F809066B549E6150DE705E89CBB0

Function 00D990A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D19BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00D5769C,?,?,?), ref: 00D99111

Part of subcall function 00D19944: GetWindowLongW.USER32(?,000000EB), ref: 00D19952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00D990F7

Strings

@U=u, xrefs: 00D990F7

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: ee76e99ceb79c6e2f3e44a8d2018d69823e39e01a52a99cc4b2fe78b5a8f9352
Instruction ID: b92d56da52e047c0ba72ae5618073a178b2845ceda215b16bf3365229c2d6185
Opcode Fuzzy Hash: ee76e99ceb79c6e2f3e44a8d2018d69823e39e01a52a99cc4b2fe78b5a8f9352
Instruction Fuzzy Hash: 3401FC34201304BBDB209F18DC69EA6BBA6FB86360F000029F9551B2E1CB32A841CB70

Function 00D6246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D62480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D62497

Part of subcall function 00D623DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D6243B

Strings

@U=u, xrefs: 00D62480, 00D62497

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e86dbadcacc706aa1509bbb0a5fc5522259c579aad7c5ea11c0471ac7ae5459b
Instruction ID: e656f6a148aa9457866ce05ab11c0a3c7a7a2c15a438727cdf17da9e94bfdcad
Opcode Fuzzy Hash: e86dbadcacc706aa1509bbb0a5fc5522259c579aad7c5ea11c0471ac7ae5459b
Instruction Fuzzy Hash: 50F0E231601121BBEB201B16CC0ACEFBF6DDF56761B100015B405E2261CAA16D41C6B0

Function 00D8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D87493
_wcslen.LIBCMT ref: 00D874B9

Strings

3, 3, 16, 1, xrefs: 00D87483

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 4572e6295170e26bd3ba4bc8e4059e20c83cbdbc83a3f1b76663cbe67fd8bc17
Instruction ID: 348ffdde932070add594c7d264d64b9d3cb19d5c3106609f4852a2631dc4ecee
Opcode Fuzzy Hash: 4572e6295170e26bd3ba4bc8e4059e20c83cbdbc83a3f1b76663cbe67fd8bc17
Instruction Fuzzy Hash: 24E02B02204230209231327DECC1A7F5689CFD5760738182FFD85C2266EAD4CDD193B0

Function 00D62BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D62BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D62C2A

Strings

@U=u, xrefs: 00D62BFA, 00D62C2A

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 89b0e91108ec73c779eb4920c7e2667c7e34edd4b4e9f0e88fd1413f0181c8a0
Instruction ID: 37c0bbcf2cb8d7329f902c63dcc4db397b321272946b0159a6547b2716e628ab
Opcode Fuzzy Hash: 89b0e91108ec73c779eb4920c7e2667c7e34edd4b4e9f0e88fd1413f0181c8a0
Instruction Fuzzy Hash: D8F0A076340304BFFA116B80DC46FBA3B58EB247A1F005015F7499A1E0D9E25C1097B0

Function 00D62D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D6286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D62884
Part of subcall function 00D6286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D628B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00D62D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D62D90

Strings

@U=u, xrefs: 00D62D80, 00D62D90

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 63ec4b94eaf5b373de7182e2836adab7732096fda9c148c5836fcae9884a50d8
Instruction ID: c371fe9ba77d6d3d7ae3af7c749f28673412bbcaea2a7ca4caa68b1c8943b858
Opcode Fuzzy Hash: 63ec4b94eaf5b373de7182e2836adab7732096fda9c148c5836fcae9884a50d8
Instruction Fuzzy Hash: FBE0D8363447057FF6210A51DC46FB3375CD758751F101027F304651A1DEA2CC105970

Function 00D95829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 00D95855
InvalidateRect.USER32(?,?,00000001), ref: 00D95877

Strings

@U=u, xrefs: 00D95855

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 054aaac4cc9189bf29c364482b7ba485cf17e4d4b5a36df6a483c4061ec84fda
Instruction ID: 9f9137f488f69bb814be3e773e53587b59cc992f4084542a91caa5870668b1d0
Opcode Fuzzy Hash: 054aaac4cc9189bf29c364482b7ba485cf17e4d4b5a36df6a483c4061ec84fda
Instruction Fuzzy Hash: 23F08232604150AEDB218F65ED44FEEBBF8EB86321F0441B3E55AD9165D6308A81CF70

Function 00D60B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D60B23

Strings

Error allocating memory., xrefs: 00D60B1C
AutoIt, xrefs: 00D60B17

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: c36438249bf9a55964a46a42ccba5fa1ce8eda43feb3ba124c06decacf533110
Instruction ID: 1f2f9fa9b3af487e94a1cca1d7ac551ed569bbf0ec3b81b42d276cf784a41bde
Opcode Fuzzy Hash: c36438249bf9a55964a46a42ccba5fa1ce8eda43feb3ba124c06decacf533110
Instruction Fuzzy Hash: F7E04F322983187AD61437947C03FD97A84CF19B65F10446AFB98995C38EE264A04AB9

Function 00D20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D20D71,?,?,?,00D0100A), ref: 00D1F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00D0100A), ref: 00D20D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D0100A), ref: 00D20D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D20D7F

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 91a777260f206975c58eb34c5037892b02f066aa93e97c4caa18f8a3dcba7a58
Instruction ID: fab61734cf869ee9dab4fa967673d5be520b1ed74f716b3c01621695b4ac21e9
Opcode Fuzzy Hash: 91a777260f206975c58eb34c5037892b02f066aa93e97c4caa18f8a3dcba7a58
Instruction Fuzzy Hash: 89E0E5742017619BD7609FB8E8087567FE4EB14748F04892EE486C6B92DBB5E4888BB1

Function 00D5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D5D220

Strings

X64, xrefs: 00D5D2A8
%.3d, xrefs: 00D5D22B

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 25f7fa6319d46d3c2587b99db953ffa40c85c1f3de0e00961c6b1c83237d13dc
Instruction ID: 8f1881bd600b7b26c7aaf5763f62cfc41cf852408a0c2ca0e86ff3b6446b632a
Opcode Fuzzy Hash: 25f7fa6319d46d3c2587b99db953ffa40c85c1f3de0e00961c6b1c83237d13dc
Instruction Fuzzy Hash: 00D01271808109F9CF6097D0DC459F9B37DEB08302F508456FC56D2040DA34D54CAB75

Function 00D92356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D9236C
PostMessageW.USER32(00000000), ref: 00D92373

Part of subcall function 00D6E97B: Sleep.KERNEL32 ref: 00D6E9F3

Strings

Shell_TrayWnd, xrefs: 00D92365

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fcdbcadcea56bb115b21987c8b3b532e437cc47de40a48facf576d6fdd2984d0
Instruction ID: ec39286cdf1a08ec3fa7ad694899c1ef1e8f74d300a15ac10d1d233e6067e6c4
Opcode Fuzzy Hash: fcdbcadcea56bb115b21987c8b3b532e437cc47de40a48facf576d6fdd2984d0
Instruction Fuzzy Hash: C2D0C9363913107BE6A4A7709C0FFC666249B04B10F1159177645EA2E4C9A0A8058A74

Function 00D92322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D9232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D9233F

Part of subcall function 00D6E97B: Sleep.KERNEL32 ref: 00D6E9F3

Strings

Shell_TrayWnd, xrefs: 00D92325

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 56e569028682c0a2f72432920e6617ee34ce2fd6469ca3b12789feeae20314ea
Instruction ID: 2a595d861aed001d125d8f1d2ce90ebc7a3f74970647f76bed6c3aa27a6d4978
Opcode Fuzzy Hash: 56e569028682c0a2f72432920e6617ee34ce2fd6469ca3b12789feeae20314ea
Instruction Fuzzy Hash: 00D0C9363A4310BBE6A4A7709C0FFC66A249F00B10F1159177645EA2E4C9A0A8058A74

Function 00D62313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D6231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00D6232D

Strings

@U=u, xrefs: 00D6231F, 00D6232D

Memory Dump Source

Source File: 00000000.00000002.1361735413.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1361687753.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000D9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361784552.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361822499.0000000000DCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1361839676.0000000000DD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_6YmCyBvw73.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c80a04a483471dd7de6f7850e1db444c84c294e2752d57d3209d2fe5777471a0
Instruction ID: 59f974affc4f84cab76ec8ce4425930c7601c9c8a25d9330fcfb1b2edc150f61
Opcode Fuzzy Hash: c80a04a483471dd7de6f7850e1db444c84c294e2752d57d3209d2fe5777471a0
Instruction Fuzzy Hash: 72C04C321502C0BAF7311B67BD0DD573E3DE7DBF51710215DB215D51B586650055D634

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6YmCyBvw73.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Anglophile

C:\Users\user\AppData\Local\Temp\aut4211.tmp

C:\Users\user\AppData\Local\Temp\aut4280.tmp

C:\Users\user\AppData\Local\Temp\cacostomia

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
6YmCyBvw73.exe

Function 00D042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00D042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00D42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00D02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00D4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00D0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00D02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00D03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00D38D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 038F25F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00D02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 038F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00D72947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00D03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre