Edit tour

Windows Analysis Report
2hp5ee36OS.exe

Overview

General Information

Sample name:	2hp5ee36OS.exe renamed because original name is a hash value
Original sample name:	1a0fcfdf65df1a067df718ddf594b8e27e17a744.exe
Analysis ID:	1546798
MD5:	26ae69324cec59aec90936fa0c18882e
SHA1:	1a0fcfdf65df1a067df718ddf594b8e27e17a744
SHA256:	d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
Tags:	exeReversingLabsuser-NDA0E
Infos:

Detection

FloodFix

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FloodFix

AI detected suspicious sample

Machine Learning detection for dropped file

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

2hp5ee36OS.exe (PID: 7772 cmdline: "C:\Users\user\Desktop\2hp5ee36OS.exe" MD5: 26AE69324CEC59AEC90936FA0C18882E)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2hp5ee36OS.exe	Malware_Floxif_mpsvc_dll	Malware - Floxif	Florian Roth	0x5954:$op1: 04 80 7A 03 01 75 04 8D 42 04 C3 8D 42 04 53 8B 0x5974:$op2: 88 19 74 03 41 EB EA C6 42 03 01 5B C3 8B 4C 24 0x70d8:$op3: FF 03 8D 00 F9 FF FF 88 01 EB A1 0x7140:$op3: FF 03 8D 00 F9 FF FF 88 01 EB A1

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Common Files\System\symsrv.dll	JoeSecurity_FloodFix	Yara detected FloodFix	Joe Security
C:\Program Files\Common Files\System\symsrv.dll	MAL_Floxif_Generic	Detects Floxif Malware	Florian Roth
C:\Program Files\Common Files\System\symsrv.dll	MALWARE_Win_FloodFix	Detects FloodFix	ditekSHen

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack	JoeSecurity_FloodFix	Yara detected FloodFix	Joe Security
0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack	MAL_Floxif_Generic	Detects Floxif Malware	Florian Roth
0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack	MALWARE_Win_FloodFix	Detects FloodFix	ditekSHen
0.2.2hp5ee36OS.exe.10000000.2.unpack	JoeSecurity_FloodFix	Yara detected FloodFix	Joe Security
0.2.2hp5ee36OS.exe.10000000.2.unpack	MAL_Floxif_Generic	Detects Floxif Malware	Florian Roth
0.2.2hp5ee36OS.exe.10000000.2.unpack	MALWARE_Win_FloodFix	Detects FloodFix	ditekSHen
0.0.2hp5ee36OS.exe.400000.0.unpack	Malware_Floxif_mpsvc_dll	Malware - Floxif	Florian Roth	0x5954:$op1: 04 80 7A 03 01 75 04 8D 42 04 C3 8D 42 04 53 8B 0x5974:$op2: 88 19 74 03 41 EB EA C6 42 03 01 5B C3 8B 4C 24 0x70d8:$op3: FF 03 8D 00 F9 FF FF 88 01 EB A1 0x7140:$op3: FF 03 8D 00 F9 FF FF 88 01 EB A1
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2hp5ee36OS.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Common Files\System\symsrv.dll

Avira: detection malicious, Label: TR/Floxif.BB

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\System\symsrv.dll

ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: 2hp5ee36OS.exe

ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\System\symsrv.dll

Joe Sandbox ML: detected

Source: 2hp5ee36OS.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Directory created: C:\Program Files\Common Files\System\symsrv.dll

Jump to behavior

Spreading

Yara detected FloodFix

Source: Yara match	File source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00408F58 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00408F58
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_1000AFBB GetFileAttributesA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_1000AFBB
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100060BA FindFirstFileA,FindNextFileA,FindClose,GetTickCount,	0_2_100060BA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100083FF GetDriveTypeA,FindFirstFileA,FindClose,	0_2_100083FF
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100066AC FindFirstFileA,FindNextFileA,FindClose,GetTickCount,	0_2_100066AC
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10007752 GetDriveTypeA,FindFirstFileA,FindClose,SetErrorMode,_rand,	0_2_10007752

Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5isohu.com/
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5isohu.com/Z
Source: 2hp5ee36OS.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 2hp5ee36OS.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 2hp5ee36OS.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: 2hp5ee36OS.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: 2hp5ee36OS.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: 2hp5ee36OS.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2hp5ee36OS.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 2hp5ee36OS.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00407462 OpenClipboard,

0_2_00407462

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00407522 SetClipboardData,

0_2_00407522

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_0040720A GetClipboardData,

0_2_0040720A

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_0040727A GetKeyboardState,

0_2_0040727A

System Summary

Malicious sample detected (through community Yara rule)

Source: 2hp5ee36OS.exe, type: SAMPLE	Matched rule: Malware - Floxif Author: Florian Roth
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Floxif Malware Author: Florian Roth
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects FloodFix Author: ditekSHen
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Floxif Malware Author: Florian Roth
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: Detects FloodFix Author: ditekSHen
Source: 0.0.2hp5ee36OS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Malware - Floxif Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: Detects Floxif Malware Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: Detects FloodFix Author: ditekSHen

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_004070EA NtdllDefWindowProc_A,

0_2_004070EA

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_1000C855	0_2_1000C855
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_1001A909	0_2_1001A909
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100129F0	0_2_100129F0
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10017432	0_2_10017432

Source: Joe Sandbox View

Dropped File: C:\Program Files\Common Files\System\symsrv.dll DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085

Source: 2hp5ee36OS.exe, 00000000.00000002.1446438155.0000000002161000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameN vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000002.1446438155.0000000002161000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLanguagePack vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename N vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: originalfilename n vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameLanguagePack vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000000.1394963824.000000000048D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameN vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe, 00000000.00000003.1399379165.00000000027F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLanguagePack vs 2hp5ee36OS.exe
Source: 2hp5ee36OS.exe	Binary or memory string: OriginalFilenameN vs 2hp5ee36OS.exe

Source: 2hp5ee36OS.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 2hp5ee36OS.exe, type: SAMPLE	Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2hp5ee36OS.exe.21f88ec.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2hp5ee36OS.exe.10000000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: 0.0.2hp5ee36OS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_Floxif_mpsvc_dll date = 2017-04-07, hash1 = 1e654ee1c4736f4ccb8b5b7aa604782cfb584068df4d9e006de8009e60ab5a14, author = Florian Roth, description = Malware - Floxif, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED	Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix

Source: classification engine

Classification label: mal96.troj.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_1000469C LookupPrivilegeValueA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,GetLastError,

0_2_1000469C

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00406C12 GetDiskFreeSpaceA,

0_2_00406C12

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_10007965 CreateToolhelp32Snapshot,Module32First,Module32Next,CloseHandle,

0_2_10007965

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00406D62 SizeofResource,

0_2_00406D62

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

File created: C:\Program Files\Common Files\System\symsrv.dll

Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Mutant created: \Sessions\1\BaseNamedObjects\FSFocus

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2hp5ee36OS.exe

ReversingLabs: Detection: 94%

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

File read: C:\Users\user\Desktop\2hp5ee36OS.exe

Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: ws2help.dll	Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Directory created: C:\Program Files\Common Files\System\symsrv.dll

Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_1000C855 GetModuleFileNameA,Sleep,GetCurrentThreadId,GetCurrentProcessId,KiUserExceptionDispatcher,GetSystemDirectoryA,GetWindowsDirectoryA,GetTempPathA,GetModuleHandleA,LoadLibraryA,GetProcAddress,WriteProcessMemory,RtlInitializeCriticalSection,RtlInitializeCriticalSection,GetModuleFileNameA,GetShortPathNameA,_rand,Sleep,Sleep,Sleep,Sleep,Sleep,_rand,_rand,

0_2_1000C855

Source: symsrv.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1f436
Source: 2hp5ee36OS.exe	Static PE information: real checksum: 0x9f638 should be: 0xb4b1f

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00406844 push 00406895h; ret	0_2_0040688D
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00406842 push 00406895h; ret	0_2_0040688D
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_0040785C push 00407888h; ret	0_2_00407880
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00483004 push 00483020h; ret	0_2_00483018
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_004830CC push 004830F2h; ret	0_2_004830EA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_004078CD push 00407BF0h; ret	0_2_00407BE8
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00407894 push 004078C0h; ret	0_2_004078B8
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00406A28 push 00406A54h; ret	0_2_00406A4C
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00406AE4 push 00406B10h; ret	0_2_00406B08
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_004076FC push ecx; mov dword ptr [esp], eax	0_2_004076FD
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00407BC4 push 00407BF0h; ret	0_2_00407BE8
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100210F2 push eax; ret	0_2_10021139
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10021188 push eax; ret	0_2_10021139
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_1002DB93 push es; ret	0_2_1002DB96
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10013458 push eax; ret	0_2_10013476
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10001678 push eax; retn 0008h	0_2_10001681
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100187B0 push eax; ret	0_2_100187DE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

File created: C:\Program Files\Common Files\System\symsrv.dll

Jump to dropped file

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_004073CA IsIconic,

0_2_004073CA

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Dropped PE file which has not been started: C:\Program Files\Common Files\System\symsrv.dll

Jump to dropped file

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-13808

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-13530

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

API coverage: 8.8 %

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_00408F58 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00408F58
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_1000AFBB GetFileAttributesA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_1000AFBB
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100060BA FindFirstFileA,FindNextFileA,FindClose,GetTickCount,	0_2_100060BA
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100083FF GetDriveTypeA,FindFirstFileA,FindClose,	0_2_100083FF
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_100066AC FindFirstFileA,FindNextFileA,FindClose,GetTickCount,	0_2_100066AC
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10007752 GetDriveTypeA,FindFirstFileA,FindClose,SetErrorMode,_rand,	0_2_10007752

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00406C7A GetSystemInfo,

0_2_00406C7A

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

API call chain: ExitProcess graph end node

graph_0-12959

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

0_2_1000C855

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_1000D737 VirtualProtect,VirtualProtect,GetModuleHandleA,Sleep,GetProcessHeap,HeapFree,SetLastError,

0_2_1000D737

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10017E3B SetUnhandledExceptionFilter,		0_2_10017E3B
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: 0_2_10017E4D SetUnhandledExceptionFilter,		0_2_10017E4D

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_1000E613 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingA,MapViewOfFile,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,UnmapViewOfFile,CreateFileMappingA,MapViewOfFile,MapViewOfFile,

0_2_1000E613

Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,		0_2_00406050
Source: C:\Users\user\Desktop\2hp5ee36OS.exe	Code function: GetLocaleInfoA,		0_2_00406C2A

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00406C22 GetLocalTime,

0_2_00406C22

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_1000C20F GetUserNameA,GetModuleHandleA,LoadLibraryA,

0_2_1000C20F

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_10018956 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_10018956

Source: C:\Users\user\Desktop\2hp5ee36OS.exe

Code function: 0_2_00406C92 GetVersion,

0_2_00406C92

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Access Token Manipulation	2 Masquerading	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	15 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2hp5ee36OS.exe	95%	ReversingLabs	Win32.Virus.Floxif
2hp5ee36OS.exe	100%	Avira	W32/Floxif.iici

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Common Files\System\symsrv.dll	100%	Avira	TR/Floxif.BB
C:\Program Files\Common Files\System\symsrv.dll	100%	Joe Sandbox ML
C:\Program Files\Common Files\System\symsrv.dll	100%	ReversingLabs	Win32.Trojan.Floxif

Name	Source	Malicious	Antivirus Detection	Reputation
http://5isohu.com/	2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://5isohu.com/Z	2hp5ee36OS.exe, 00000000.00000003.1399399640.0000000000684000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546798
Start date and time:	2024-11-01 15:55:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2hp5ee36OS.exe renamed because original name is a hash value
Original Sample Name:	1a0fcfdf65df1a067df718ddf594b8e27e17a744.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 61% Number of executed functions: 30 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: 2hp5ee36OS.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Common Files\System\symsrv.dll	9dePCvDX8X.exe	Get hash	malicious	FloodFix	Browse
	ZYlsAQi8bj.exe	Get hash	malicious	FloodFix	Browse
	4g33Ui2SbU.exe	Get hash	malicious	FloodFix	Browse
	4afG8b79X5.exe	Get hash	malicious	FloodFix	Browse
	c9DQdpQLKz.exe	Get hash	malicious	FloodFix	Browse
	n64NG4zCN2.exe	Get hash	malicious	FloodFix	Browse
	0vJrK0NCd1.exe	Get hash	malicious	Remcos, DBatLoader, FloodFix	Browse
	jpeg_12.dll	Get hash	malicious	FloodFix	Browse
	DHL_Shipping_Docs00945_pdf.exe	Get hash	malicious	FloodFix	Browse
	echomiragePC.exe	Get hash	malicious	FloodFix, Remcos	Browse

Created / dropped Files

C:\Program Files\Common Files\System\symsrv.dll

Download File

Process:	C:\Users\user\Desktop\2hp5ee36OS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	69337
Entropy (8bit):	7.734269834755614
Encrypted:	false
SSDEEP:	1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZL:c8y93KQjy7G55riF1cMo03V
MD5:	7574CF2C64F35161AB1292E2F532AABF
SHA1:	14BA3FA927A06224DFE587014299E834DEF4644F
SHA-256:	DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
SHA-512:	4DB19F2D8D5BC1C7BBB812D3FA9C43B80FA22140B346D2760F090B73AED8A5177EDB4BDDC647A6EBD5A2DB8565BE5A1A36A602B0D759E38540D9A584BA5896AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_FloodFix, Description: Yara detected FloodFix, Source: C:\Program Files\Common Files\System\symsrv.dll, Author: Joe Security Rule: MAL_Floxif_Generic, Description: Detects Floxif Malware, Source: C:\Program Files\Common Files\System\symsrv.dll, Author: Florian Roth Rule: MALWARE_Win_FloodFix, Description: Detects FloodFix, Source: C:\Program Files\Common Files\System\symsrv.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: 9dePCvDX8X.exe, Detection: malicious, Browse Filename: ZYlsAQi8bj.exe, Detection: malicious, Browse Filename: 4g33Ui2SbU.exe, Detection: malicious, Browse Filename: 4afG8b79X5.exe, Detection: malicious, Browse Filename: c9DQdpQLKz.exe, Detection: malicious, Browse Filename: n64NG4zCN2.exe, Detection: malicious, Browse Filename: 0vJrK0NCd1.exe, Detection: malicious, Browse Filename: jpeg_12.dll, Detection: malicious, Browse Filename: DHL_Shipping_Docs00945_pdf.exe, Detection: malicious, Browse Filename: echomiragePC.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.'...I...I...I.i.E...I.$.B...I..G...I.$.C.{.I.}.B...I.p.Z...I...H..I...B...I...O...I...M...I.Rich..I.................PE..L......P...........!................................................................................................(.......L...........L...........................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................2.03.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.868641274199096
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	2hp5ee36OS.exe
File size:	699'023 bytes
MD5:	26ae69324cec59aec90936fa0c18882e
SHA1:	1a0fcfdf65df1a067df718ddf594b8e27e17a744
SHA256:	d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
SHA512:	3582b64bc8b607c5a125f9af432b28ae09993fd0c3ce735c045c8d4d1ae23f8a56340ef0aedfe6db2eecadd228c7920a3ddf4ca86676477b51925536333cd3c2
SSDEEP:	12288:i1ykbxmJKdxEMAvMfKfVhbR5P3vT7UOX+fsb/IhCKQqoHBjvrEH75:inm4wMDCtZ3vUsiCTqyrEH75
TLSH:	1AE48E22E29247B7C173163CBC4F23659C36BE152E28A9466BF41D8C5F3DA513D3A287
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	80a280a2a280a200

Static PE Info

General

Entrypoint:	0x483364
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0fddcacafee24b3f4545e7a57eaea1f7

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007F3B0087C1E5h
call 00007F3B33E6C4C8h
ror byte ptr [ecx+4589EC45h], FFFFFFE8h
mov eax, 004830F4h
call 00007F3B0087A4DAh
xor eax, eax
push ebp
push 004834CDh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [00485490h]
mov eax, dword ptr [eax]
mov edx, 004834E4h
call 00007F3B008D2E0Bh
mov eax, dword ptr [00485490h]
mov eax, dword ptr [eax]
call 00007F3B008D31FFh
mov ebx, 00000093h
imul eax, ebx, 000000ADh
mov ebx, eax
push 004834F4h
push FFFFFFFFh
push 00000000h
call 00007F3B0087A61Ch
call 00007F3B0087A6C7h
cmp eax, 000000B7h
jne 00007F3B008F6E86h
mov eax, 00483500h
call 00007F3B008F6ACAh
call 00007F3B00877C21h
jmp 00007F3B008F6F3Fh
call 00007F3B008D727Fh
cmp eax, 03h
jl 00007F3B008F6ECEh
call 00007F3B0087E53Dh
add esp, FFFFFFF8h
fstp qword ptr [esp]
wait
call 00007F3B008D4565h
movzx edi, ax
call 00007F3B0087E529h
add esp, FFFFFFF8h
fstp qword ptr [esp]
wait
call 00007F3B008D452Dh
movzx eax, ax
imul edi, eax
imul edi, edi, 0Eh
lea eax, dword ptr [ebx+ebx*2]
lea eax, dword ptr [eax+eax*8]
add edi, eax
lea edx, dword ptr [ebp-18h]
mov eax, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x88000	0x287c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x97000	0x5a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x95c00	0x1cc8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8c000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x82514	0x82600	618d7e071d1c83ead97f031759b165f9	False	0.5258550305608821	data	6.542532161146491	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x84000	0x161c	0x1800	c21f21b38785e1e9e8943593d6eead7e	False	0.390625	data	3.7250553947156755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x86000	0x1031	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x88000	0x287c	0x2a00	b729254afb1036e3f92b8dc5df663553	False	0.34561011904761907	data	4.958081990754235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x8b000	0x24	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8c000	0x18	0x200	a6cb9f1a4a8049af1c85f73a4b116345	False	0.048828125	data	0.2005819074398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8d000	0x93c4	0x9400	2e31d36bb738ca1aa2eeb17050bd1745	False	0.5617873733108109	data	6.639997275023061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x97000	0x5a00	0x5a00	05f26ab7dd15de0bad967b32a58ddfc5	False	0.3099826388888889	data	4.343420113898351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x97adc	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x97c10	0x134	data			0.4642857142857143
RT_CURSOR	0x97d44	0x134	data			0.4805194805194805
RT_CURSOR	0x97e78	0x134	data			0.38311688311688313
RT_CURSOR	0x97fac	0x134	data			0.36038961038961037
RT_CURSOR	0x980e0	0x134	data			0.4090909090909091
RT_CURSOR	0x98214	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x98348	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x98518	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x986fc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x988cc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x98a9c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x98c6c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x98e3c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x9900c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x991dc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x993ac	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x9957c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0x99664	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.25
RT_DIALOG	0x9978c	0x52	data			0.7682926829268293
RT_STRING	0x997e0	0x380	data			0.4408482142857143
RT_STRING	0x99b60	0x260	data			0.4753289473684211
RT_STRING	0x99dc0	0xe8	data			0.5905172413793104
RT_STRING	0x99ea8	0x128	data			0.5574324324324325
RT_STRING	0x99fd0	0x2c8	data			0.45786516853932585
RT_STRING	0x9a298	0x408	data			0.37887596899224807
RT_STRING	0x9a6a0	0x390	data			0.35855263157894735
RT_STRING	0x9aa30	0x400	data			0.359375
RT_STRING	0x9ae30	0x114	data			0.5
RT_STRING	0x9af44	0xe4	data			0.5482456140350878
RT_STRING	0x9b028	0x24c	data			0.477891156462585
RT_STRING	0x9b274	0x384	data			0.3233333333333333
RT_STRING	0x9b5f8	0x3ac	data			0.3819148936170213
RT_STRING	0x9b9a4	0x2e8	data			0.3911290322580645
RT_RCDATA	0x9bc8c	0x10	data			1.5
RT_RCDATA	0x9bc9c	0x364	data			0.6474654377880185
RT_RCDATA	0x9c000	0x1a1	Delphi compiled form 'TMainForm'			0.7146282973621103
RT_GROUP_CURSOR	0x9c1a4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x9c1b8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x9c1cc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x9c1e0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x9c1f4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x9c208	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x9c21c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x9c230	0x14	data	English	United States	1.15
RT_VERSION	0x9c244	0x340	data	English	United States	0.42908653846153844
RT_MANIFEST	0x9c584	0x3fb	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4308145240431796

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpA, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExW, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCommandLineW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexA, CreateFileA, CreateEventA, CompareStringW, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32W, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterHotKey, UnregisterClassW, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExW, SetWindowsHookExA, SetWindowTextW, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoW, SetMenuItemInfoA, SetMenuInfo, SetMenu, SetLayeredWindowAttributes, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterHotKey, RegisterClipboardFormatA, RegisterClassW, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringW, GetMenuStringA, GetMenuState, GetMenuItemInfoW, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassNameA, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefWindowProcA, DefMDIChildProcW, DefMDIChildProcA, DefFrameProcW, DefFrameProcA, CreateWindowExW, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateMDIWindowW, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharUpperA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VarBstrFromBool, VarBstrFromDate, VarBstrFromCy, VarBoolFromStr, VarCyFromStr, VarDateFromStr, VarR8FromStr, VarI4FromStr, VarNot, VarNeg, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	ShellExecuteA
comdlg32.dll	FindTextA, GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	10:56:20
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\2hp5ee36OS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2hp5ee36OS.exe"
Imagebase:	0x400000
File size:	699'023 bytes
MD5 hash:	26AE69324CEC59AEC90936FA0C18882E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	1292
Total number of Limit Nodes:	22

Executed Functions

Function 1000C855 Relevance: 55.0, APIs: 23, Strings: 8, Instructions: 730
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Program Files\Common Files\System\symsrv.dll,00000104), ref: 1000C861
Sleep.KERNEL32(0000000A), ref: 1000C86D
GetCurrentThreadId.KERNEL32 ref: 1000C995
GetCurrentProcessId.KERNEL32 ref: 1000C9A0
GetSystemDirectoryA.KERNEL32(C:\Program Files\Common Files\System\symsrv.dll,00000104), ref: 1000CA7A
GetWindowsDirectoryA.KERNEL32(C:\Program Files\Common Files\System\symsrv.dll,00000104), ref: 1000CAA6
GetTempPathA.KERNEL32(00000104,C:\Program Files\Common Files\System\symsrv.dll,C:\Program Files\Common Files\System\symsrv.dll), ref: 1000CAD2

Strings

k, xrefs: 1000CEAF
C:\PROGRA~1\COMMON~1\System\symsrv.dll, xrefs: 1000D0F9
', xrefs: 1000C9D4
0, xrefs: 1000CFF9
i, xrefs: 1000CD2E
N, xrefs: 1000CF5C
E, xrefs: 1000CE9F
C:\Program Files\Common Files\System\symsrv.dll, xrefs: 1000C85A, 1000C875, 1000CA75, 1000CA80, 1000CAA1, 1000CAAC, 1000CAC8, 1000CAD8, 1000D0C5, 1000D0E5, 1000D0FE

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CurrentDirectory$FileModuleNamePathProcessSleepSystemTempThreadWindows
String ID: '$0$C:\PROGRA~1\COMMON~1\System\symsrv.dll$C:\Program Files\Common Files\System\symsrv.dll$E$N$i$k
API String ID: 1781033083-3469198408
Opcode ID: 4f1bdc6b06ee9027aff4994ce6243d8717ec2cce636f1064e14d603884b63dba
Instruction ID: a733f807f674a3ead1363c1710542011ba7e1a2e3ca67a53d60f2b956809581b
Opcode Fuzzy Hash: 4f1bdc6b06ee9027aff4994ce6243d8717ec2cce636f1064e14d603884b63dba
Instruction Fuzzy Hash: 78526474D042C59AFB20E3B88C46BDD7B61DF26394F448298F1997B2CBDB70A9418772

Function 1000C20F Relevance: 50.9, APIs: 3, Strings: 26, Instructions: 108
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,00000104), ref: 1000C313
GetModuleHandleA.KERNEL32(00000000,00000000,00000000), ref: 1000C3B1
LoadLibraryA.KERNEL32(00000000), ref: 1000C3D5

Strings

], xrefs: 1000C247
j, xrefs: 1000C385
], xrefs: 1000C25B
_, xrefs: 1000C25F
b, xrefs: 1000C393
F, xrefs: 1000C223
B, xrefs: 1000C22B
k, xrefs: 1000C34D
b, xrefs: 1000C369
F, xrefs: 1000C227
<, xrefs: 1000C377
G, xrefs: 1000C24F
[, xrefs: 1000C23F
|, xrefs: 1000C354
, xrefs: 1000C37E
e, xrefs: 1000C346
Z, xrefs: 1000C21F
`, xrefs: 1000C35B
A, xrefs: 1000C243
Q, xrefs: 1000C257
b, xrefs: 1000C38C
k, xrefs: 1000C362
Z, xrefs: 1000C24B
], xrefs: 1000C273
2, xrefs: 1000C267
=, xrefs: 1000C370

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: HandleLibraryLoadModuleNameUser
String ID: $2$<$=$A$B$F$F$G$Q$Z$Z$[$]$]$]$_$`$b$b$b$e$j$k$k$|
API String ID: 2828708801-2692872198
Opcode ID: 0dfb5bdb681409ac153bad3bd0c7ea0d2243132f166f1bf51e45dded76afa326
Instruction ID: 10224049d10c4ba984f412ff21e5452163c6903c7485fc333e9c19f4ce280a82
Opcode Fuzzy Hash: 0dfb5bdb681409ac153bad3bd0c7ea0d2243132f166f1bf51e45dded76afa326
Instruction Fuzzy Hash: 0F51D360C087D9D9EB22C3BC98487CDBE755F23314F4842C9E0A86B2D2D7B94649DB76

Function 1000AFBB Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 1000B06A
FindNextFileA.KERNEL32(?,?), ref: 1000B1DD
FindClose.KERNEL32(?), ref: 1000B1EF

Strings

E, xrefs: 1000B09D
7, xrefs: 1000AFE5
(, xrefs: 1000B0AB
\, xrefs: 1000B096
X, xrefs: 1000B0A4

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: ($7$E$X$\
API String ID: 3541575487-490530916
Opcode ID: ad34d529ce8fd2a3c06390e6bec0523498eea3e45192d3d583346b12ede68a2f
Instruction ID: 91f0a4fd0c70f6f0cae64176a13c2d9396df7fa32df48a5b0134076d7c45fd39
Opcode Fuzzy Hash: ad34d529ce8fd2a3c06390e6bec0523498eea3e45192d3d583346b12ede68a2f
Instruction Fuzzy Hash: 5261E776C14298AAFB15DBA0DC95EEE7738EF14340F4449A8F51976086EF306B48CBA1

Function 1000D737 Relevance: 10.7, APIs: 7, Instructions: 226
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,000000F8,00000040,?), ref: 1000D759
VirtualProtect.KERNELBASE(?,000000F8,?,?), ref: 1000D794
GetModuleHandleA.KERNEL32(00000000), ref: 1000D91E
Sleep.KERNELBASE(00000064,1002595C,?), ref: 1000D959
SetLastError.KERNEL32(00000000), ref: 1000D9C5

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ProtectVirtual$ErrorHandleLastModuleSleep
String ID:
API String ID: 789627168-0
Opcode ID: de88272510c9d8d8f67cf94dcb16393da77082f97589e9c0fc7917d1ad7932df
Instruction ID: 7bb754b7f352ebe9f7f92ee2beb9795494308d0c5fc70c108ef66ead31156f9f
Opcode Fuzzy Hash: de88272510c9d8d8f67cf94dcb16393da77082f97589e9c0fc7917d1ad7932df
Instruction Fuzzy Hash: 86A10575A00109AFEB04DF98C891EEEB7B5FF88354F148259F919AB385D730A950CBA1

Function 1000469C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 100046AE
LoadLibraryA.KERNEL32(00000000), ref: 10004787
GetProcAddress.KERNEL32(00000000), ref: 1000478E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 100047A7
GetLastError.KERNEL32 ref: 100047AA

Strings

=, xrefs: 1000470D

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressAdjustErrorLastLibraryLoadLookupPrivilegePrivilegesProcTokenValue
String ID: =
API String ID: 2597230620-2322244508
Opcode ID: d92c3bc4c884d189298ce29acb1f866a8a0a45c90e38cefa8e7054883b974a3e
Instruction ID: 1d37563caeedf872c2bbec29f4a6d94c3dcff0b103c3b124c2aacc26225018e0
Opcode Fuzzy Hash: d92c3bc4c884d189298ce29acb1f866a8a0a45c90e38cefa8e7054883b974a3e
Instruction Fuzzy Hash: 6B41F9119187CA9DDB22C7BC8C48ADEBF755B6B134F0843C8E5F07A2E6D3644206C3A6

Function 10018956 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1001470E: RtlInitializeCriticalSection.NTDLL(00000000), ref: 1001474B
Part of subcall function 1001470E: RtlEnterCriticalSection.NTDLL(10011E5A), ref: 10014766

Part of subcall function 1001476F: RtlLeaveCriticalSection.NTDLL ref: 1001477C

GetTimeZoneInformation.KERNELBASE(0000000C,?,?,?,0000000B,0000000B,?,10018947,10014AF4,?,?,?,?,10012666,?,?), ref: 100189A4
WideCharToMultiByte.KERNEL32(00000220,Eastern Standard Time,000000FF,0000003F,00000000,?,?,10018947,10014AF4,?,?,?,?,10012666,?,?), ref: 10018A3A
WideCharToMultiByte.KERNEL32(00000220,Eastern Summer Time,000000FF,0000003F,00000000,?,?,10018947,10014AF4,?,?,?,?,10012666,?,?), ref: 10018A73

Strings

Eastern Summer Time, xrefs: 10018A67
Eastern Standard Time, xrefs: 10018A2E

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3442286286-239921721
Opcode ID: a6ae5782dddeabc4c60a0d9b4630bda052b470c4a8dc841844afe3ef80610f6a
Instruction ID: 72ab1e9aa48903f52e9c1a6c876504514b9565d80192bcb08feff608f09bf5b7
Opcode Fuzzy Hash: a6ae5782dddeabc4c60a0d9b4630bda052b470c4a8dc841844afe3ef80610f6a
Instruction Fuzzy Hash: D2618FB19083A09FE711CB68CCC1A697FEAFB02254F72052AF4859B1A2D771DBC2C755

Function 00406050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoA.KERNELBASE(00000000), ref: 00406073
LoadLibraryExA.KERNELBASE(00000000,00000000,00000002), ref: 0040612D
LoadLibraryExA.KERNELBASE(00000000,00000000,00000002), ref: 00406163

Strings

., xrefs: 004060B0

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: LibraryLoad$InfoLocale
String ID: .
API String ID: 4237408684-248832578
Opcode ID: aed9d4decfd67b3f8e087d36bc5631469c1971adc071affd3ba93eb20d7079be
Instruction ID: d5961b152249e163c8a4aefe5a3d4337f74588dd9b2580b06351314193e505ed
Opcode Fuzzy Hash: aed9d4decfd67b3f8e087d36bc5631469c1971adc071affd3ba93eb20d7079be
Instruction Fuzzy Hash: C6319375E0025D6AFB26D6B88C46FDF7BAC8B04344F0541F7B605F61C2EA788E848B54

Function 100021DD Relevance: 133.2, APIs: 6, Strings: 70, Instructions: 201
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 100022AB
LoadLibraryA.KERNELBASE(00000000), ref: 100022C7
GetProcAddress.KERNELBASE(?,00000000), ref: 100022E7
LoadLibraryA.KERNEL32(00000000,00000000), ref: 100023D1
GetProcAddress.KERNEL32(00000000), ref: 100023D8
WriteProcessMemory.KERNELBASE(000000FF,?,?,00000005,?), ref: 10002496

Strings

g, xrefs: 10002246
l, xrefs: 1000228A
*, xrefs: 1000232F
d, xrefs: 1000241F
`, xrefs: 1000232B
), xrefs: 1000235F
m, xrefs: 10002262
$, xrefs: 100023A7
g, xrefs: 10002296
], xrefs: 1000220E
J, xrefs: 10002282
U, xrefs: 10002216
8, xrefs: 1000237B
>, xrefs: 100023AF
%, xrefs: 1000238F
j, xrefs: 10002236
I, xrefs: 10002206
\, xrefs: 100021FE
#, xrefs: 10002383
A, xrefs: 1000225E
8, xrefs: 1000239F
%, xrefs: 1000237F
N, xrefs: 100021EE
", xrefs: 10002337
%, xrefs: 10002353
Q, xrefs: 100021FA
<, xrefs: 10002397
<, xrefs: 10002377
", xrefs: 10002387
:, xrefs: 1000231B
", xrefs: 10002323
), xrefs: 100023AB
g, xrefs: 1000224E
z, xrefs: 10002272
l, xrefs: 10002266
", xrefs: 10002327
-, xrefs: 1000239B
9, xrefs: 1000221A
?, xrefs: 10002393
N, xrefs: 1000233B
P, xrefs: 1000223A
c, xrefs: 10002286
g, xrefs: 1000223E
c, xrefs: 10002232
g, xrefs: 1000226E
*, xrefs: 1000231F
l, xrefs: 10002252
@, xrefs: 1000227A
a, xrefs: 10002256
d, xrefs: 10002242
p, xrefs: 1000224A
4, xrefs: 1000236B
f, xrefs: 1000228E
), xrefs: 10002373
?, xrefs: 1000235B
J, xrefs: 100021F2
/, xrefs: 1000236F
{, xrefs: 1000227E
U, xrefs: 10002202
, xrefs: 10002317
U, xrefs: 1000222E
U, xrefs: 10002212
L, xrefs: 100023B3
>, xrefs: 10002363
/, xrefs: 100023A3
v, xrefs: 10002276
g, xrefs: 1000225A
v, xrefs: 1000226A
", xrefs: 10002333
n, xrefs: 10002292

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressLibraryLoadProc$HandleMemoryModuleProcessWrite
String ID: $"$"$"$"$"$#$$$%$%$%$)$)$)$*$*$-$/$/$4$8$8$9$:$<$<$>$>$?$?$@$A$I$J$J$L$N$N$P$Q$U$U$U$U$\$]$`$a$c$c$d$d$f$g$g$g$g$g$g$j$l$l$l$m$n$p$v$v$z${
API String ID: 2057502401-2508479926
Opcode ID: c1014eec9416fa3c2b52ba93eff12223e773908593d619bc2bae335d97a14e42
Instruction ID: 4e0abb666f08f4022c9a6e8e0e86adbd2890ae4587ce7265ef776366e2200a0a
Opcode Fuzzy Hash: c1014eec9416fa3c2b52ba93eff12223e773908593d619bc2bae335d97a14e42
Instruction Fuzzy Hash: BCB1F660C083C8DEEB12C7E8D4587DEBFB55F26308F184199D1847B287C7BA5649CB66

Function 100098E5 Relevance: 91.4, APIs: 12, Strings: 40, Instructions: 395
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 100098EE
OpenProcessToken.ADVAPI32(00000000), ref: 100098F5
CloseHandle.KERNEL32(?), ref: 10009974
GetModuleHandleA.KERNEL32(00000000), ref: 10009A43
LoadLibraryA.KERNEL32(00000000), ref: 10009A65
GetProcAddress.KERNEL32(?,00000000), ref: 10009A91
GetModuleHandleA.KERNEL32(00000000), ref: 10009B41
LoadLibraryA.KERNELBASE(00000000), ref: 10009B66
GetProcAddress.KERNEL32(?,00000000), ref: 10009C1B

Strings

d, xrefs: 10009C5B
-, xrefs: 10009E62
`, xrefs: 10009A16
^, xrefs: 10009A2E
d, xrefs: 10009A1A
<, xrefs: 10009E66
6, xrefs: 10009E72
l, xrefs: 100099D9
h, xrefs: 100099EE
Y, xrefs: 10009EAA
-, xrefs: 10009E8E
8, xrefs: 10009E5E
7, xrefs: 10009E9A
|, xrefs: 10009A26
3, xrefs: 10009CFA
+, xrefs: 10009E96
z, xrefs: 100099E0
*, xrefs: 10009E82
<, xrefs: 10009E92
<, xrefs: 10009E7A
8, xrefs: 10009E9E
+, xrefs: 10009E6E
l, xrefs: 10009A1E
q, xrefs: 10009A0E
], xrefs: 10009A12
<, xrefs: 10009E5A
f, xrefs: 10009A0A
s, xrefs: 10009AA6
7, xrefs: 10009E8A
K, xrefs: 10009A03
5, xrefs: 10009EA2
D, xrefs: 100099D2
z, xrefs: 100099E7
:, xrefs: 10009E76
l, xrefs: 100099FC
*, xrefs: 10009E7E
f, xrefs: 10009A22
+, xrefs: 10009E56
n, xrefs: 100099F5
}, xrefs: 10009A2A

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Handle$AddressLibraryLoadModuleProcProcess$CloseCurrentOpenToken
String ID: *$*$+$+$+$-$-$3$5$6$7$7$8$8$:$<$<$<$<$D$K$Y$]$^$`$d$d$f$f$h$l$l$l$n$q$s$z$z$|$}
API String ID: 2911793071-3312574243
Opcode ID: 3c663efaba5962c88d892cbffeed0b1b32bac1979cbb8ae8162b76b0a0623c58
Instruction ID: 7d7937479aa8ab84115c2a0502d8e9b3c77517eda7480cd020832e116561bcce
Opcode Fuzzy Hash: 3c663efaba5962c88d892cbffeed0b1b32bac1979cbb8ae8162b76b0a0623c58
Instruction Fuzzy Hash: C9225260D083D9CDEB21C7788C48BDDBFB15F26224F0883D9D1A96B2D6D3754A85CB62

Function 10009C4C Relevance: 42.2, APIs: 3, Strings: 21, Instructions: 185
injectionlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(000000FF,?,00000033,00000005,?), ref: 10009D36
GetProcAddress.KERNEL32(774B0000,00000000), ref: 10009EC2
WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,?), ref: 10009F88

Strings

d, xrefs: 10009C5B
8, xrefs: 10009E9E
-, xrefs: 10009E62
+, xrefs: 10009E6E
Y, xrefs: 10009EAA
<, xrefs: 10009E66
6, xrefs: 10009E72
<, xrefs: 10009E5A
-, xrefs: 10009E8E
8, xrefs: 10009E5E
7, xrefs: 10009E8A
5, xrefs: 10009EA2
7, xrefs: 10009E9A
3, xrefs: 10009CFA
:, xrefs: 10009E76
+, xrefs: 10009E96
*, xrefs: 10009E7E
+, xrefs: 10009E56
*, xrefs: 10009E82
<, xrefs: 10009E92
<, xrefs: 10009E7A

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: MemoryProcessWrite$AddressProc
String ID: *$*$+$+$+$-$-$3$5$6$7$7$8$8$:$<$<$<$<$Y$d
API String ID: 1576538433-890581407
Opcode ID: cf9e8e39d8329feb2e8cc34bd602e6bc8fb5d931548e7ed7a7cb2c0e7a67ab56
Instruction ID: 5fd1f56bfbb58330aa1018ac920baed12bdd2403633b8cc0c362beed382b6541
Opcode Fuzzy Hash: cf9e8e39d8329feb2e8cc34bd602e6bc8fb5d931548e7ed7a7cb2c0e7a67ab56
Instruction Fuzzy Hash: 1191D730D082D9DEEB21C768C844BDDBFB19F16354F4882D9D1997B2C2D3754A45CB62

Function 1001B44D Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(00000000,00000000,1001C384,00000001,1001C384,00000001,00000000,0068118C,10014AF4,0000000C,?,?,?,0000000B,0000000B), ref: 1001B48B
CompareStringA.KERNEL32(00000000,00000000,1001C380,00000001,1001C380,00000001,?,10018947), ref: 1001B4A8
CompareStringA.KERNEL32(?,?,00000000,10018947,?,0000000B,00000000,0068118C,10014AF4,0000000C,?,?,?,0000000B,0000000B), ref: 1001B506
GetCPInfo.KERNEL32(0000000B,00000000,00000000,0068118C,10014AF4,0000000C,?,?,?,0000000B,0000000B,?,10018947), ref: 1001B557
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0000000B,00000000,00000000,?,10018947), ref: 1001B5D6
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,10018947), ref: 1001B637
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,10018947), ref: 1001B64A
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,10018947), ref: 1001B696
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,10018947), ref: 1001B6AE

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 146c12c68f6d2c960b9ee43d01a89832004135fe910e0164c3854f899a4b7fb0
Instruction ID: 1f765cab58222e79d966b81d0bde82bf4c8a1c0bbe4d60f552caf681d713b902
Opcode Fuzzy Hash: 146c12c68f6d2c960b9ee43d01a89832004135fe910e0164c3854f899a4b7fb0
Instruction Fuzzy Hash: CF71AF71A00A9AEFDF21CF908C85ADE7FBAEB05384F11412AF950AA160D335DD91DB90

Function 1000DB11 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 1000DB32
EnumWindows.USER32(Function_0000D9F6,00001E5C), ref: 1000DB80
IsBadWritePtr.KERNEL32(00000000,00000001), ref: 1000DC20

Strings

}, xrefs: 1000DB19

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: EnumSleepWindowsWrite
String ID: }
API String ID: 1646427702-4239843852
Opcode ID: 45e349d6bfc97253593caa86f7035e6b763d2f6482b559f54145bc8ebd1f5f9b
Instruction ID: bd095a3c4a1ad5d1e619146e2f16f3011249ac1a2abf0d68d606d93722cf1396
Opcode Fuzzy Hash: 45e349d6bfc97253593caa86f7035e6b763d2f6482b559f54145bc8ebd1f5f9b
Instruction Fuzzy Hash: 3B412375A042459AFB00FBA8CC86FEE3774EF44381F448529F406B62D6DB71A804CBB5

Function 100169AD Relevance: 9.1, APIs: 6, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,10013180,100131D4,?,?,?), ref: 100169E5
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,10013180,100131D4,?,?,?), ref: 100169F0
HeapFree.KERNEL32(00000000,?,?,?,?,?,10013180,100131D4,?,?,?), ref: 100169FD
HeapFree.KERNEL32(00000000,?,?,?,?,10013180,100131D4,?,?,?), ref: 10016A19
VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,10013180,100131D4,?,?,?), ref: 10016A3A
HeapDestroy.KERNELBASE(?,?,10013180,100131D4,?,?,?), ref: 10016A4C

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: a8ef3d0b687a4371e74b7a30ffd01a8a9c2997e16e07f86ca4cf120adce3355b
Instruction ID: 32430127ef2a12ce82ab4650aea6dd4bbe8663c0aee62abd58dfd68e7977107f
Opcode Fuzzy Hash: a8ef3d0b687a4371e74b7a30ffd01a8a9c2997e16e07f86ca4cf120adce3355b
Instruction Fuzzy Hash: 4911AD31280265ABE661EF10CEC5F05B7A5EB48761F768024F642BB0A1C772FC82CF48

Function 1002DF80 Relevance: 6.2, APIs: 4, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924f5878d330e6ae71c2633518a33a6ec05d637f4d63d454074fd01cf40d346c
Instruction ID: eed6df2236576beabf2c7d52bd3b6cb6e2f7a67aa77d779b0fbfd08cb0478442
Opcode Fuzzy Hash: 924f5878d330e6ae71c2633518a33a6ec05d637f4d63d454074fd01cf40d346c
Instruction Fuzzy Hash: 6D513571A842D24BD710EA78ECC4794BBD0EB45364BA90739D9E6CB3C6E7E45C468360

Function 00483364 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004069E4: GetModuleHandleA.KERNEL32(00000000,?,0048337F), ref: 004069F0

Part of subcall function 00406B6C: CreateMutexA.KERNEL32(?,?,?,?,004833C5,00000000,000000FF,FSFocus), ref: 00406B82

GetLastError.KERNEL32(00000000,000000FF,FSFocus), ref: 004833C5

Part of subcall function 00483030: FindWindowA.USER32(FastStoneScreenFocusPanel,00000000), ref: 00483065

Strings

FSQuitNow, xrefs: 004833D1
Screen Focus, xrefs: 00483394
FSFocus, xrefs: 004833B7

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: CreateErrorFindHandleLastModuleMutexWindow
String ID: FSFocus$FSQuitNow$Screen Focus
API String ID: 4003053590-3403729768
Opcode ID: 0b469434849ab8f021ceb396ac2d7fbd6134b4e47b4bacd9e40a932e0b826fad
Instruction ID: b98a893a2d5c0dc265f364808c145081ca19208f5c959136749e89e239dbfa26
Opcode Fuzzy Hash: 0b469434849ab8f021ceb396ac2d7fbd6134b4e47b4bacd9e40a932e0b826fad
Instruction Fuzzy Hash: 2F31BF706042018FD701FF65C88296E77A4EB89B19B51497BF914D73E2EE389A04CB6E

Function 10012598 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 100125A5
GetSystemTime.KERNEL32(?), ref: 100125AF
GetTimeZoneInformation.KERNELBASE(?), ref: 10012604

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 3e1ca9ace8f0922f5f16b5d304d6fc68c37fa7b30300a325030dfed90a2fc59a
Instruction ID: ac16bf9539afbedd2c5e5af88f7939321bc5791ed11b9dbcd7e1e6b9e2384753
Opcode Fuzzy Hash: 3e1ca9ace8f0922f5f16b5d304d6fc68c37fa7b30300a325030dfed90a2fc59a
Instruction Fuzzy Hash: E62162B980141AE9DB11EB98C984AFEB3F9FB09761F900101F921AA1D0E375CDD2D774

Function 100041C6 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(000000FF,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000420C
ReadFile.KERNELBASE(000000FF,00000000,?,?,00000000), ref: 10004245
CloseHandle.KERNEL32(000000FF), ref: 1000424F

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: File$CloseHandleReadSize
String ID:
API String ID: 3642004256-0
Opcode ID: 385a44d6ba7514c4266fc13b8da5f4ee3dd73cf86c0f12b003f9c06b97154f09
Instruction ID: 3b2cce6aa4bc0e1df35e5fc4b422913606dacb86dc9628502f3f091f081f667c
Opcode Fuzzy Hash: 385a44d6ba7514c4266fc13b8da5f4ee3dd73cf86c0f12b003f9c06b97154f09
Instruction Fuzzy Hash: EE1121B9E00208EBDB04DF98CC86FDE7B79EF48750F104558F605A7284DB71AA41CBA1

Function 10011DD3 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 10011DFF
TlsSetValue.KERNEL32(?), ref: 10011E2D

Part of subcall function 10014324: TlsGetValue.KERNEL32(FFFFFFFF,00000000,10011EC4,00000000,?,10011E5A), ref: 1001433C
Part of subcall function 10014324: TlsSetValue.KERNEL32(00000000,00000000,10011EC4,00000000,?,10011E5A), ref: 100143BC

Strings

Y6, xrefs: 10011E54

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Value
String ID: Y6
API String ID: 3702945584-770635656
Opcode ID: 6b1c1ecef028cbef58cf321e3a47119cf15ae2dbd1553cea674b2e1b5e2399de
Instruction ID: a894eb4b2a1526ab7af96094cbfdb570735578eee3b6b7a34983b6b6d128135a
Opcode Fuzzy Hash: 6b1c1ecef028cbef58cf321e3a47119cf15ae2dbd1553cea674b2e1b5e2399de
Instruction Fuzzy Hash: 0311C272500625EFD714DFA9CC45F9A7BF8FB04760F108529F9119B6A0DB35ED80CA94

Function 10011D5C Relevance: 4.5, APIs: 3, Instructions: 49threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100143C4: RtlAllocateHeap.NTDLL(00000008,10011E5A,00000000), ref: 100144BA

CreateThread.KERNELBASE(00000000,00000004,Function_00011DD3,00000000,00000004,00000000), ref: 10011D94
ResumeThread.KERNELBASE(00000000,?,?,1000E3DE,Function_0000C842,00000000,00000000), ref: 10011DA4
GetLastError.KERNEL32(?,?,1000E3DE,Function_0000C842,00000000,00000000), ref: 10011DAF

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Thread$AllocateCreateErrorHeapLastResume
String ID:
API String ID: 1716352560-0
Opcode ID: 4a693c1a7c0130d8256d54b02b3a0db4a5b2461d7771a31befb7a034707c6015
Instruction ID: 6b40658bdb990657c0e624a7753350b0d9b8fe889fb6d86fda8b0815184f8898
Opcode Fuzzy Hash: 4a693c1a7c0130d8256d54b02b3a0db4a5b2461d7771a31befb7a034707c6015
Instruction Fuzzy Hash: FA01D63A5057206BD224DB3ABC44D9B7AE5DFC6670F12061DFA64DB2D0CF70D8818691

Function 10001953 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(000000FF,0000008B,?,00000005,?), ref: 10001A26

Strings

U, xrefs: 100019B9

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: U
API String ID: 3559483778-3372436214
Opcode ID: 95bcbcd445a861993f6133570b15523b5340e37b7dc674ea86adea5778b856c8
Instruction ID: d8bb290e16210fd3f6e19a525eeec851f8e0a4be218f06497376150335ff61ed
Opcode Fuzzy Hash: 95bcbcd445a861993f6133570b15523b5340e37b7dc674ea86adea5778b856c8
Instruction Fuzzy Hash: 72312675A04189AFDB00CBB8D8A5BEFBFB1EF0A360F548398E5659B2C5D7309640C791

Function 10016950 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,100130DA,00000001), ref: 10016961

Part of subcall function 10016808: GetVersionExA.KERNEL32 ref: 10016827

HeapDestroy.KERNEL32 ref: 100169A0

Part of subcall function 10016BE1: RtlAllocateHeap.NTDLL(00000000,00000140,10016989), ref: 10016BEE

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Heap$AllocateCreateDestroyVersion
String ID:
API String ID: 760317429-0
Opcode ID: d57b725f33a924c1015ce50ccdf05509821a3f6b87ac5c3d16db616949c7e180
Instruction ID: bdbd41b82c7ac91006049f6af939f6a340871bdd2ff2836b0351b3e30c2b98b1
Opcode Fuzzy Hash: d57b725f33a924c1015ce50ccdf05509821a3f6b87ac5c3d16db616949c7e180
Instruction Fuzzy Hash: 16F06D74664312ABFB519B708EC6B5936DCEB48792F314829F801CD0A5EB71D5C1D602

Function 100016B3 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 100016E2
RtlLeaveCriticalSection.NTDLL(10021420), ref: 100016F7

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CreateCriticalFileLeaveSection
String ID:
API String ID: 241413389-0
Opcode ID: 78e251c624cdf51bf2bdc9fcb5406858180ed0e91f405c9448da0aacb1f6967f
Instruction ID: a9e70f15d98e270bbb7fe75853633fd90720edd09bc5374121c6fc5a0956b38e
Opcode Fuzzy Hash: 78e251c624cdf51bf2bdc9fcb5406858180ed0e91f405c9448da0aacb1f6967f
Instruction Fuzzy Hash: E1F0D476640148EBDB00CF98EC88EDA7BE8EB9D301F148149FA09D3351D739E959CBA4

Function 100085B4 Relevance: 3.0, APIs: 2, Instructions: 28sleepCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_000032C5,00001E5C), ref: 100085E4
Sleep.KERNELBASE(00000064), ref: 100085EC

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: 3dc0e4d5e070a7a70453f0807675e30ef6759b51afd3c0b37bfd59074e937e50
Instruction ID: 0bc78a7fa69e3e467ad7f653599aa045c5a3ab046108907200b6942465f154de
Opcode Fuzzy Hash: 3dc0e4d5e070a7a70453f0807675e30ef6759b51afd3c0b37bfd59074e937e50
Instruction Fuzzy Hash: 63E022316042C49FE300DBA4CE4456E7BB4FB8328772181BADA85CB216D631CE05DB25

Function 10001CF1 Relevance: 3.0, APIs: 2, Instructions: 26memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 10001D00
WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 10001D1A

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: MemoryProcessProtectVirtualWrite
String ID:
API String ID: 214326562-0
Opcode ID: 53b8d29059f3c53da0740756323cb53de5d3c03976e2e2d845130a82039365a9
Instruction ID: 90996afca376c582a65bd943481bd12db638c31c0766fa15e59b2c7a81935a7a
Opcode Fuzzy Hash: 53b8d29059f3c53da0740756323cb53de5d3c03976e2e2d845130a82039365a9
Instruction Fuzzy Hash: C6E07EBA240109BBDB04DF99E894DEB77A9FB8D221F108259FA19D7250C631E9118BA0

Function 1001390C Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000), ref: 100139F3

Part of subcall function 1001470E: RtlInitializeCriticalSection.NTDLL(00000000), ref: 1001474B
Part of subcall function 1001470E: RtlEnterCriticalSection.NTDLL(10011E5A), ref: 10014766

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 65b8887dd7ce0afcce7474163219d1aa0826ff1a6789e0b51af4cd8c498a35f5
Instruction ID: 6876498b62955bb29e28edacedd82be48d713326a8307753d163bd518600bc88
Opcode Fuzzy Hash: 65b8887dd7ce0afcce7474163219d1aa0826ff1a6789e0b51af4cd8c498a35f5
Instruction Fuzzy Hash: 7B21C832A04215ABDB00DFA5DC82B8EB7A8FB01764F218525F861EF1D1C7B4E9C18B94

Function 10008349 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000,00000000), ref: 100083A3

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d5daecca44004ef12fd6d9ef0c0880db4f131a5b247fff9b342e9f43078ecc74
Instruction ID: 6f94ab387ec959997d3855d9bc9298f8262591e4f15be920aad47798307c6f30
Opcode Fuzzy Hash: d5daecca44004ef12fd6d9ef0c0880db4f131a5b247fff9b342e9f43078ecc74
Instruction Fuzzy Hash: 8C11E635C042C999EB01D7B8DC959EEBB38DF21350F00CA98E465360D6DF346B06C7A1

Function 0040772E Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407759

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0a9f5100fc918968e01ce87abca33f99820cddca8862cc32bc6a170c84909b0b
Instruction ID: 5c1343b9f7c50fd4d1f4b6af425b026c83073c7ee43b4003069ba5d46ce7d63d
Opcode Fuzzy Hash: 0a9f5100fc918968e01ce87abca33f99820cddca8862cc32bc6a170c84909b0b
Instruction Fuzzy Hash: A0E0FEB2204209BFEB00DE8ADCC1DABB7ACFB4C654F804115BB1C97242D275AD608B71

Function 00407730 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00407759

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 776143f7715d542f9dbac4eb9774147f02f5dda3c42c994d9bc7221095acc648
Instruction ID: dd2f81adcbd704d1fa72263cc1433ce0b9390083bc081abfe4ae1f3a173ab130
Opcode Fuzzy Hash: 776143f7715d542f9dbac4eb9774147f02f5dda3c42c994d9bc7221095acc648
Instruction Fuzzy Hash: 9EE002B2204309BFEB00DE8ADCC1DABB7ACFB4C654F804105BB1C972429275BD608B71

Function 00406B6C Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,004833C5,00000000,000000FF,FSFocus), ref: 00406B82

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction ID: 10e0cef987d71490a28e34074a8695c6cb9ac52d543c3eee2fc8a7d14aa20fed
Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
Instruction Fuzzy Hash: 5BC01273550348ABC700EEB9CC05D9B33DC5718609B04C425B519C7100C13DE5508B64

Function 1001428C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

Part of subcall function 100146A2: RtlDeleteCriticalSection.NTDLL(00000000), ref: 100146D6
Part of subcall function 100146A2: RtlDeleteCriticalSection.NTDLL(?), ref: 100146F1
Part of subcall function 100146A2: RtlDeleteCriticalSection.NTDLL ref: 100146F9
Part of subcall function 100146A2: RtlDeleteCriticalSection.NTDLL ref: 10014701
Part of subcall function 100146A2: RtlDeleteCriticalSection.NTDLL ref: 10014709

TlsFree.KERNELBASE(FFFFFFFF,1001317B,100131D4,?,?,?), ref: 1001429C

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CriticalDeleteSection$Free
String ID:
API String ID: 1584690612-0
Opcode ID: a74f767b184570ca40bb88cf255787fb85a01160242663b9f46070779e8f5448
Instruction ID: 0bc67f5c26d48e8e3b49aebb244aaf441ed27bead98c9941f436497231dd84b6
Opcode Fuzzy Hash: a74f767b184570ca40bb88cf255787fb85a01160242663b9f46070779e8f5448
Instruction Fuzzy Hash: 6EC04C385405A15AF50097358C8A40C36A5B7463343E14B00F5B6D71F1DF35E8838640

Non-executed Functions

Function 1001A909 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

9, xrefs: 1001A9CA
9, xrefs: 1001AB9A
9, xrefs: 1001AB56
9, xrefs: 1001AA1E
9, xrefs: 1001AB8A
+, xrefs: 1001A9DB
0, xrefs: 1001AB77
c, xrefs: 1001A9F8
0, xrefs: 1001AA33
9, xrefs: 1001A978
0, xrefs: 1001ABA8
e, xrefs: 1001AA01
E, xrefs: 1001A9F3
0, xrefs: 1001AAAA
0, xrefs: 1001A9E5
+, xrefs: 1001AAFE
1, xrefs: 1001AB81
-, xrefs: 1001A9E0
-, xrefs: 1001AB07
1, xrefs: 1001AB4E
C, xrefs: 1001A9EA

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 02c3caaac3c92d81e763761eb11773d502a5f362e8cef113d214514b31a5d748
Instruction ID: 1151663046375f0bd72665096eb55200e10bb20f319d8389160cc346b3c20120
Opcode Fuzzy Hash: 02c3caaac3c92d81e763761eb11773d502a5f362e8cef113d214514b31a5d748
Instruction Fuzzy Hash: 8CE1DE31D4829ACEEB25CBA4C9817EDBBF2EF06391F644016D801AF192D778D9C1DB51

Function 1000E613 Relevance: 15.1, APIs: 10, Instructions: 114fileCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1000E635
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1000E645
CreateFileMappingA.KERNEL32(000000FF,0000000C,00000004,00000000,0000000C,?), ref: 1000E65D
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1000E679
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1000E6C9
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 1000E6D9
UnmapViewOfFile.KERNEL32(?), ref: 1000E6E6
CreateFileMappingA.KERNEL32(000000FF,0000000C,00000004,00000000,?,00000000), ref: 1000E6FE
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1000E71A

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: File$DescriptorSecurity$View$CreateDaclInitializeMapping$Unmap
String ID:
API String ID: 2976166598-0
Opcode ID: f12682f1efea132ace4a08111bff6bcb4100753d33b8be5f90b0e0aa8278098a
Instruction ID: d80dcd57228ff9489ba574671cb5d72d9d387f93bd786646ed1c1ec871a04610
Opcode Fuzzy Hash: f12682f1efea132ace4a08111bff6bcb4100753d33b8be5f90b0e0aa8278098a
Instruction Fuzzy Hash: BD41A079A40208EBEB14CF94C985F9DB7B5EB48714F208549EA15AB281C7B1AA42CB54

Function 10007752 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(00000000,?), ref: 100077C9
FindFirstFileA.KERNEL32(00000000,?,0000002A,?,00000000,00000000), ref: 1000783C
FindClose.KERNEL32(000000FF), ref: 1000784F
SetErrorMode.KERNEL32(00008003), ref: 1000788A
_rand.LIBCMT ref: 100078A0

Strings

z, xrefs: 10007786

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Find$CloseDriveErrorFileFirstModeType_rand
String ID: z
API String ID: 1985845384-1657960367
Opcode ID: 08bf31815ac2e9826e0790b2dfe7cfebb163826cd52d1fec506ecf311d19cd9b
Instruction ID: 1702e389a595363f7e77714cb365bb6fb82423c9edef5d24fac9a96a4de05a7f
Opcode Fuzzy Hash: 08bf31815ac2e9826e0790b2dfe7cfebb163826cd52d1fec506ecf311d19cd9b
Instruction Fuzzy Hash: B151AC75D041589BEB14EBA0DC96ADD7374FF08380F1088A9E41AB7196EF35AE44CBA1

Function 100083FF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(00000000,?), ref: 10008493
FindFirstFileA.KERNEL32(00000000,?,0000002A,?,00000000,00000000), ref: 10008506
FindClose.KERNEL32(000000FF), ref: 10008519

Strings

z, xrefs: 10008450

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Find$CloseDriveFileFirstType
String ID: z
API String ID: 1265060940-1657960367
Opcode ID: 3e22c44693aa2dd86ddb1620ab672697263d0526e67f5394c0f725933d6d4254
Instruction ID: 2f7907a1dd21136cec039dc86337fc36dfa9d4f331b8e4b8f0617d5f268f2e15
Opcode Fuzzy Hash: 3e22c44693aa2dd86ddb1620ab672697263d0526e67f5394c0f725933d6d4254
Instruction Fuzzy Hash: 39418C76C10159ABEB04EBA0EC91AEEB778FF04380F508959E45A77199EF306F44CB91

Function 100066AC Relevance: 6.5, APIs: 4, Instructions: 451fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,0000002A,?,?,?,?,?,?,00000001,?), ref: 10006749
FindNextFileA.KERNEL32(000000FF,?), ref: 100069A8
FindClose.KERNEL32(000000FF), ref: 100069BA
GetTickCount.KERNEL32 ref: 10006B4E

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Find$File$CloseCountFirstNextTick
String ID:
API String ID: 1235538443-0
Opcode ID: 629ca1a912482b7b1786a38ec84271b8db7efbb429891b7987317043b7735b5c
Instruction ID: 3f32b28ad389ff5f4a89660a98533d0622329e44ff147a94ff582a6079f94869
Opcode Fuzzy Hash: 629ca1a912482b7b1786a38ec84271b8db7efbb429891b7987317043b7735b5c
Instruction Fuzzy Hash: 3B026775C101999AFB14EBA0CC92EED7778EF14380F5048A9E4097709AEF357E89CB61

Function 100060BA Relevance: 6.4, APIs: 4, Instructions: 410fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,0000002A,?,?,?,?,?,?,00000001,?), ref: 10006174
FindNextFileA.KERNEL32(000000FF,?), ref: 100063D3
FindClose.KERNEL32(000000FF,?,?), ref: 100063E5

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0595b5e666b05330276af15fa0a8dee4885658fe47077d74699f6994bc2ede05
Instruction ID: c794df64d86015f92d61ac747eb0828bc0ae87cf9b6233a5be2aeae37ea1312a
Opcode Fuzzy Hash: 0595b5e666b05330276af15fa0a8dee4885658fe47077d74699f6994bc2ede05
Instruction Fuzzy Hash: 4FE1A4758142999AFB14EBA0CC92DED7778EF14380F5048A9F4067709AEF307E89CB61

Function 10007965 Relevance: 6.2, APIs: 4, Instructions: 202processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 1000798C
Module32First.KERNEL32(000000FF,00000224), ref: 100079DC
Module32Next.KERNEL32(?,?), ref: 10007AF1

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Module32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 3702378198-0
Opcode ID: 5fbb554c9afe30d57229345c5d634db22eb16a9c270f58801ec610c4d54cc545
Instruction ID: 5c8bc627f96ea7ae32483b8212d146e4c73b4b086cee794b2d4e36ce44408996
Opcode Fuzzy Hash: 5fbb554c9afe30d57229345c5d634db22eb16a9c270f58801ec610c4d54cc545
Instruction Fuzzy Hash: 7D71C376D011549AFB24EB64CC46BEE73B4FF44380F5049E9E40DA218AEF35AF448B52

Function 00408F58 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000), ref: 00408F73
FindClose.KERNEL32(00000000,00000000), ref: 00408F7E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00408F97
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00408FA8

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 2a3b8a708d3ee5bb83b022e150c25873814ee872db9c5a27df9b0c703696359f
Instruction ID: a69bb797b09d6502853dc52a00d293f1bb6eaee65df40a2cd5fc7594c1a6da3c
Opcode Fuzzy Hash: 2a3b8a708d3ee5bb83b022e150c25873814ee872db9c5a27df9b0c703696359f
Instruction Fuzzy Hash: 39F0ECB290021CA6CB10EAE58D85ACFB3BC5B45324F5006BBB569F21D2EB39AB544B54

Function 10017E3B Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00017DF5), ref: 10017E40

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c569d3c020144b871088230af9e94d2e91b7433bf872932a80fd5e8bb619b43e
Instruction ID: c02097a40a87b29e4e2698d4c43607d8a69446dd7d27b78697932df694000373
Opcode Fuzzy Hash: c569d3c020144b871088230af9e94d2e91b7433bf872932a80fd5e8bb619b43e
Instruction Fuzzy Hash: 8EA022B00002388BFB008F308CC88003A30FB02223B30000CFB2B80228CB30C0C28E00

Function 10017E4D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10017E52

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a7b67f61ca3d209bdfb73f2036888beb0adc4db11d7805f53fb53d5d41f9821b
Instruction ID: d91e04de4154f9aa53e37bed44e58d41ebb069b1f44d79994f4cf31f0f072eac
Opcode Fuzzy Hash: a7b67f61ca3d209bdfb73f2036888beb0adc4db11d7805f53fb53d5d41f9821b
Instruction Fuzzy Hash:

Function 10017432 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 47d46cdca21bb5d075aabbafd900a2f731485a37008bf14c38e3e398d20af243
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: FAB15A3590064A9FDB15CF08C5D0A98BBF2FB48358F25819DD90A5F392D731EA86CB90

Function 100129F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: 7792282e75a1af133dd375dae3b182fee8b30d43b289de230fac5753d8ce34cd
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 76113DF760018247D794CA69D4B02BBA3DAEFC52607FD827AD0428F254D672D9E58502

Function 00407462 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513abba944a6704ba96046797d2ca8b674e185bfdc8e44f0bff91194aff11df4
Instruction ID: f6b481a4330650b55a3c66bcc2282b7ef7fbec61ad93bbe0eca31214826b80fe
Opcode Fuzzy Hash: 513abba944a6704ba96046797d2ca8b674e185bfdc8e44f0bff91194aff11df4
Instruction Fuzzy Hash:

Function 00406C7A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04e6d1d4b5fa03757e4f5fd44c8a52fde6cb8f8d8db54abf43b958a5f92554a
Instruction ID: 88784f5078c2631f061ba3e7bedd5c0b667efe7ce51ac804275c8b81a5e5a29e
Opcode Fuzzy Hash: e04e6d1d4b5fa03757e4f5fd44c8a52fde6cb8f8d8db54abf43b958a5f92554a
Instruction Fuzzy Hash:

Function 00406C12 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24542dfc314b9ce201237aa137af3c4ec3adf7c99a688794abf8e79bb88e6456
Instruction ID: 06a5b63d2aa0240abf9938974b3832a831a89302596b008f7c5ae1d3ab3c5d52
Opcode Fuzzy Hash: 24542dfc314b9ce201237aa137af3c4ec3adf7c99a688794abf8e79bb88e6456
Instruction Fuzzy Hash:

Function 00406C22 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72ce178160ebff565d734ed4456d783b6eb63050c4fc46844c843551e4d155b
Instruction ID: 9a8733431a16fb51ea847228a2ad478304c93ad08a3d2f017486dbf9d9cfb1d6
Opcode Fuzzy Hash: c72ce178160ebff565d734ed4456d783b6eb63050c4fc46844c843551e4d155b
Instruction Fuzzy Hash:

Function 00406C2A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff0e13bbdb64392c44ae99d64693b57b1ee51eb4591f86bd93de0be90c30feb
Instruction ID: 57b3d0b1ce7f4e4e815a6d0a4dbb296904f3ce9e1177829c1eafc01fb081bcb4
Opcode Fuzzy Hash: cff0e13bbdb64392c44ae99d64693b57b1ee51eb4591f86bd93de0be90c30feb
Instruction Fuzzy Hash:

Function 004070EA Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34b950086b863648969448265815386960dd3fe9602b64ed7689d24cf8851ee
Instruction ID: c7fda2fdc208d4249dae4d2089c2792b1f27b8c3772d2eba6b0b5c2dcefcc1b1
Opcode Fuzzy Hash: c34b950086b863648969448265815386960dd3fe9602b64ed7689d24cf8851ee
Instruction Fuzzy Hash:

Function 00406C92 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a477201cb35d04e638189247212ca949ee49a5600206acd2e1d5ccf787d419
Instruction ID: 200264b61f2cb464ed1d4d491cbb42a9a3d257d8e0e1818ca8a1f3853d7320e4
Opcode Fuzzy Hash: 42a477201cb35d04e638189247212ca949ee49a5600206acd2e1d5ccf787d419
Instruction Fuzzy Hash:

Function 00406D62 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1f3704861c6b89405fc67d7b250e19e41bd47e1fb1055f3b083a17747df7ae
Instruction ID: 99dc444df88c35d30f42f3621fe0381e7d7b32666ca6e6f144d2d004b374cb08
Opcode Fuzzy Hash: 8f1f3704861c6b89405fc67d7b250e19e41bd47e1fb1055f3b083a17747df7ae
Instruction Fuzzy Hash:

Function 00407522 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479cd0fd67c0cb8450aee28bc7ad59f868df35d48cf09a943289ca252f3537ef
Instruction ID: a52261933bcb20fa8f81388f402c651fdda3ccd1e9420f88302b0ade4d47ec9a
Opcode Fuzzy Hash: 479cd0fd67c0cb8450aee28bc7ad59f868df35d48cf09a943289ca252f3537ef
Instruction Fuzzy Hash:

Function 0040727A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4044781f96c27733fa505e3a412f32c5a8609047184a4b0509a5ceeed5de11b
Instruction ID: 27beef34a3f813a31b48f356e3fa70e160ee7bc64abe10ca4eb239830420ab49
Opcode Fuzzy Hash: c4044781f96c27733fa505e3a412f32c5a8609047184a4b0509a5ceeed5de11b
Instruction Fuzzy Hash:

Function 0040720A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffc1c7798dcda639e7e28170b4033f71cebe151a5cb95b6eaff02d11f3852ad
Instruction ID: 6b2e58c861650b41210681ab189fdc4d6865c85e23d40d6b2823cbda0107df9a
Opcode Fuzzy Hash: bffc1c7798dcda639e7e28170b4033f71cebe151a5cb95b6eaff02d11f3852ad
Instruction Fuzzy Hash:

Function 004073CA Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4996a81f5e63e4312c2d3e8dd9ac88ac69993b12e4ab715772a90f756dd1962
Instruction ID: e0cad26c11644657dc6c620dec55ea3936f483d286ada863ac0396425938823c
Opcode Fuzzy Hash: a4996a81f5e63e4312c2d3e8dd9ac88ac69993b12e4ab715772a90f756dd1962
Instruction Fuzzy Hash:

Function 10006D86 Relevance: 129.9, APIs: 3, Strings: 71, Instructions: 384sleepCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 1000738E
Sleep.KERNEL32(0000003C), ref: 100073A4
SetFileAttributesA.KERNEL32(00000000,00000007), ref: 100073BF

Strings

a, xrefs: 10007061
/, xrefs: 10006F02
n, xrefs: 10006F46
+, xrefs: 10006F0A
l, xrefs: 100070AE
0, xrefs: 100070CA
i, xrefs: 100071B9
}, xrefs: 1000707D
D, xrefs: 10007270
h, xrefs: 10007084
), xrefs: 10006F22
@, xrefs: 10006D8E
I, xrefs: 100072D2
u, xrefs: 100071C0
D, xrefs: 10007269
a, xrefs: 100071A4
B, xrefs: 100071D5
G, xrefs: 100072BD
D, xrefs: 10007293
L, xrefs: 100072E0
<, xrefs: 100070D1
E, xrefs: 100072CB
x, xrefs: 100070B5
z, xrefs: 10006F26
y, xrefs: 100070C3
o, xrefs: 10006F3A
M, xrefs: 10007262
F, xrefs: 100072D9
X, xrefs: 1000728C
a, xrefs: 100070BC
I, xrefs: 10007099
", xrefs: 10006F1E
k, xrefs: 100070A7
[, xrefs: 10007254
t, xrefs: 10007277
4, xrefs: 10006EFE
h, xrefs: 100070A0
h, xrefs: 1000705A
/, xrefs: 10006F8C
P, xrefs: 10007285
s, xrefs: 100071CE
M, xrefs: 100072A8
b, xrefs: 10007196
X, xrefs: 100071C7
a, xrefs: 10007068
t, xrefs: 100072AF
b, xrefs: 10007076
G, xrefs: 1000729A
k, xrefs: 100072B6
E, xrefs: 100072C4
@, xrefs: 1000725B
(, xrefs: 10006E21
J, xrefs: 10007126
u, xrefs: 10006E25
(, xrefs: 10006F16
G, xrefs: 10006F4A
+, xrefs: 10006F0E
~, xrefs: 1000704C
a, xrefs: 10006F3E
Z, xrefs: 100072A1
', xrefs: 10006E15
7, xrefs: 10006F1A
(, xrefs: 100072EE
4, xrefs: 10006E05
., xrefs: 10006E01
M, xrefs: 1000727E
e, xrefs: 10007053
Q, xrefs: 10007092
Q, xrefs: 1000706F
c, xrefs: 1000708B
", xrefs: 10006F06

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AttributesFile$Sleep
String ID: "$"$'$($($($)$+$+$.$/$/$0$4$4$7$<$@$@$B$D$D$D$E$E$F$G$G$G$I$I$J$L$M$M$M$P$Q$Q$X$X$Z$[$a$a$a$a$a$b$b$c$e$h$h$h$i$k$k$l$n$o$s$t$t$u$u$x$y$z$}$~
API String ID: 3637897523-1094257450
Opcode ID: 3bae2ad89de1e6fde6f341a39782d41b075a69fbe6cd56f798c530bf5ccf55c2
Instruction ID: 075c273ffff61ae4cb6696391920be94bb349695b8b234a1009d2e6a093629ea
Opcode Fuzzy Hash: 3bae2ad89de1e6fde6f341a39782d41b075a69fbe6cd56f798c530bf5ccf55c2
Instruction Fuzzy Hash: 28121E51C083D9C9EB22C3B88C497DEBF745B22314F0846D9E1993A2D7DBB55A48CB72

Function 100037C6 Relevance: 100.0, APIs: 6, Strings: 51, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10003AD5
LoadLibraryA.KERNEL32(00000000), ref: 10003AF7
GetProcAddress.KERNEL32(?,00000000), ref: 10003B41
GetProcAddress.KERNEL32(?,00000000), ref: 10003B9E
GetProcAddress.KERNEL32(?,00000000), ref: 10003E5D

Strings

8, xrefs: 100039DE
S, xrefs: 10003A1D
,, xrefs: 100039C2
@, xrefs: 100038C4
v, xrefs: 10003942
U, xrefs: 100038EE
v, xrefs: 10003A5C
j, xrefs: 100038E7
}, xrefs: 1000394A
R, xrefs: 10003966
K, xrefs: 100038D2
g, xrefs: 1000393E
K, xrefs: 100038FC
~, xrefs: 10003A8D
c, xrefs: 1000395A
\, xrefs: 10003956
u, xrefs: 10003815
Z, xrefs: 10003936
Y, xrefs: 10003A55
v, xrefs: 1000395E
}, xrefs: 10003962
%, xrefs: 1000391F
g, xrefs: 10003952
u, xrefs: 10003A63
4, xrefs: 100037CF
~, xrefs: 100039FA
W, xrefs: 1000390A
v, xrefs: 1000394E
{, xrefs: 10003A7F
R, xrefs: 10003A78
@, xrefs: 100038F5
K, xrefs: 100038B6
W, xrefs: 100038CB
n, xrefs: 10003A4E
n, xrefs: 10003A2B
i, xrefs: 10003A6A
t, xrefs: 10003A86
l, xrefs: 100038AF
p, xrefs: 10003903
d, xrefs: 10003918
h, xrefs: 10003A39
v, xrefs: 10003A94
t, xrefs: 10003A40
Q, xrefs: 100038BD
I, xrefs: 10003911
a, xrefs: 10003946
Q, xrefs: 100038E0
}, xrefs: 1000393A
7, xrefs: 1000398A
t, xrefs: 10003A24
@, xrefs: 100038D9

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: %$,$4$7$8$@$@$@$I$K$K$K$Q$Q$R$R$S$U$W$W$Y$Z$\$a$c$d$g$g$h$i$j$l$n$n$p$t$t$t$u$u$v$v$v$v$v${$}$}$}$~$~
API String ID: 384173800-4112467968
Opcode ID: 348e69799074d46e567ea8e3e3605243c458405470cb24f2c652e6dbb5d650ee
Instruction ID: c73f02275797b288a3dba8e9e5f8f61b8e1867e1f75f96d7c7aef259adbbbf6e
Opcode Fuzzy Hash: 348e69799074d46e567ea8e3e3605243c458405470cb24f2c652e6dbb5d650ee
Instruction Fuzzy Hash: EAF13690C087D9C9EB21C7788C487CEBF745F16358F0841D8D29C662D2D7B95A89CB6A

Function 100034FB Relevance: 86.0, APIs: 7, Strings: 42, Instructions: 202COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000), ref: 10003549

Strings

b, xrefs: 10003655
%, xrefs: 1000368D
}, xrefs: 10003717
O, xrefs: 1000373F
), xrefs: 10003649
d, xrefs: 1000363D
c, xrefs: 1000366D
(, xrefs: 10003681
>, xrefs: 1000370F
c, xrefs: 10003645
d, xrefs: 10003661
f, xrefs: 10003707
s, xrefs: 100036F7
{, xrefs: 10003703
u, xrefs: 10003669
', xrefs: 10003659
<, xrefs: 10003747
z, xrefs: 100036FB
>, xrefs: 1000371B
z, xrefs: 1000371F
(, xrefs: 1000365D
', xrefs: 1000367D
0, xrefs: 100036FF
>, xrefs: 10003743
b, xrefs: 1000364D
{, xrefs: 10003723
>, xrefs: 10003737
1, xrefs: 1000373B
}, xrefs: 100036F3
r, xrefs: 10003727
', xrefs: 10003665
', xrefs: 10003671
{, xrefs: 1000370B
(, xrefs: 10003675
>, xrefs: 1000372B
j, xrefs: 10003641
T, xrefs: 10003679
V, xrefs: 10003685
1, xrefs: 10003713
1, xrefs: 1000372F
', xrefs: 10003689
X, xrefs: 10003733

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: DirectoryRemove
String ID: %$'$'$'$'$'$($($($)$0$1$1$1$<$>$>$>$>$>$O$T$V$X$b$b$c$c$d$d$f$j$r$s$u$z$z${${${$}$}
API String ID: 597925465-1573442331
Opcode ID: 07d9973b8181c083f464c5b9cd82a09bc44ed53e9ea09fc40759ee2d3a68e603
Instruction ID: 8511aa442a6f71641b444ada92ce6f0bc022d9d497a1deddc61b231c94919a10
Opcode Fuzzy Hash: 07d9973b8181c083f464c5b9cd82a09bc44ed53e9ea09fc40759ee2d3a68e603
Instruction Fuzzy Hash: 9E918234C082C8D9FB02D7B4C859BDEBF789F21384F448498E4497A1D6DBBA6649C772

Function 1000DDD2 Relevance: 70.3, APIs: 4, Strings: 36, Instructions: 346threadCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000001), ref: 1000DE08
DisableThreadLibraryCalls.KERNEL32(?), ref: 1000DE32
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000DE52
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000DE66

Strings

#, xrefs: 1000DF9F
z, xrefs: 1000E03A
q, xrefs: 1000E04F
E, xrefs: 1000E34D
N, xrefs: 1000E19D
P, xrefs: 1000E1AB
P, xrefs: 1000E1A4
[, xrefs: 1000DFA7
8, xrefs: 1000DF8B
Y, xrefs: 1000E0C5
e, xrefs: 1000E01E
', xrefs: 1000E041
2, xrefs: 1000DF87
>, xrefs: 1000DF8F
k, xrefs: 1000E369
>, xrefs: 1000DF7B
>, xrefs: 1000DF9B
), xrefs: 1000DF7F
F, xrefs: 1000E1B9
P, xrefs: 1000E196
z, xrefs: 1000E025
u, xrefs: 1000DF97
-, xrefs: 1000DF83
#, xrefs: 1000E1CE
U, xrefs: 1000E017
h, xrefs: 1000E02C
l, xrefs: 1000E048
7, xrefs: 1000E30E
[, xrefs: 1000E1C0
>, xrefs: 1000DFA3
(, xrefs: 1000DF93
z, xrefs: 1000E033
(, xrefs: 1000DF77
F, xrefs: 1000E1C7
l, xrefs: 1000E056
E, xrefs: 1000E236

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CallsDirectoryDisableFileLibraryModuleNameReadSystemThread
String ID: #$#$'$($($)$-$2$7$8$>$>$>$>$E$E$F$F$N$P$P$P$U$Y$[$[$e$h$k$l$l$q$u$z$z$z
API String ID: 3981859294-3918468125
Opcode ID: 7141d3d1507d067a0c928fefa00816f564826cd1996f8eeb76695807d09bf90a
Instruction ID: 622606248922636cb9dcec4c54b25f8917374ab843a5ef39112fbbb93fef9a86
Opcode Fuzzy Hash: 7141d3d1507d067a0c928fefa00816f564826cd1996f8eeb76695807d09bf90a
Instruction Fuzzy Hash: 2E024161C087E98ADB32C7788C497CEBF745B26314F0842D8E09C6A2D2D7755BC9CB62

Function 1000B267 Relevance: 57.9, APIs: 6, Strings: 27, Instructions: 187registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 1000B2B2
RegQueryValueExA.ADVAPI32(?,00000000), ref: 1000B35F
RegSetValueExA.ADVAPI32(?,00000000,00000000), ref: 1000B3E2
RegSetValueExA.ADVAPI32(?,00000000), ref: 1000B4A9
RegSetValueExA.ADVAPI32(?,00000000), ref: 1000B5AF
RegCloseKey.ADVAPI32(?), ref: 1000B5BC

Strings

6, xrefs: 1000B550
+, xrefs: 1000B549
C:\PROGRA~1\COMMON~1\System\symsrv.dll, xrefs: 1000B36F, 1000B39C
K, xrefs: 1000B3F6
', xrefs: 1000B4D2
&, xrefs: 1000B51F
', xrefs: 1000B4F5
%, xrefs: 1000B31B
B, xrefs: 1000B57A
2, xrefs: 1000B534
i, xrefs: 1000B330
7, xrefs: 1000B4E0
,, xrefs: 1000B542
,, xrefs: 1000B511
2, xrefs: 1000B52D
%, xrefs: 1000B50A
6, xrefs: 1000B30D
1, xrefs: 1000B573
0, xrefs: 1000B4EE
%, xrefs: 1000B322
, xrefs: 1000B2F1
(, xrefs: 1000B2DC
-, xrefs: 1000B314
+, xrefs: 1000B4E7
+, xrefs: 1000B503
', xrefs: 1000B518
3, xrefs: 1000B4D9

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Value$CloseOpenQuery
String ID: $%$%$%$&$'$'$'$($+$+$+$,$,$-$0$1$2$2$3$6$6$7$B$C:\PROGRA~1\COMMON~1\System\symsrv.dll$K$i
API String ID: 237177642-2208146747
Opcode ID: 07dd20263758b53605061da9e8644a32bbc1c200b7d51e5380c7c905e5ac8bf6
Instruction ID: d7ffd36e3fc649d87268a548135784987c6f1deef2e906aa5cff512d09507537
Opcode Fuzzy Hash: 07dd20263758b53605061da9e8644a32bbc1c200b7d51e5380c7c905e5ac8bf6
Instruction Fuzzy Hash: 3AA146708087ECD9EB36C6288C497CDBF745B16318F0441C8E29C6A2D2D7B54B85CF66

Function 1000C3E6 Relevance: 57.8, APIs: 2, Strings: 31, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(774B0000,00000000), ref: 1000C43B
GetProcAddress.KERNEL32(774B0000,00000000), ref: 1000C4F0

Strings

x, xrefs: 1000C469
~, xrefs: 1000C4B6
I, xrefs: 1000C462
n, xrefs: 1000C4C4
i, xrefs: 1000C493
r, xrefs: 1000C4AF
x, xrefs: 1000C49A
v, xrefs: 1000C3FB
u, xrefs: 1000C41F
p, xrefs: 1000C477
I, xrefs: 1000C3F7
?, xrefs: 1000C517
c, xrefs: 1000C417
|, xrefs: 1000C48C
u, xrefs: 1000C41B
s, xrefs: 1000C485
%, xrefs: 1000C56B
x, xrefs: 1000C4BD
8, xrefs: 1000C53A
M, xrefs: 1000C4A1
h, xrefs: 1000C403
t, xrefs: 1000C40B
c, xrefs: 1000C3FF
V, xrefs: 1000C407
t, xrefs: 1000C47E
i, xrefs: 1000C40F
e, xrefs: 1000C413
h, xrefs: 1000C595
o, xrefs: 1000C470
n, xrefs: 1000C4CB
o, xrefs: 1000C4A8

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressProc
String ID: %$8$?$I$I$M$V$c$c$e$h$h$i$i$n$n$o$o$p$r$s$t$t$u$u$v$x$x$x$|$~
API String ID: 190572456-3762297867
Opcode ID: 7dfb619f267f275168528171f402fbe1169908cbf31e02c37dbb2435c866621e
Instruction ID: 07a796bec1b5bb6dfccb493179a8595110490467b2e30aa6663b5b61b00816a5
Opcode Fuzzy Hash: 7dfb619f267f275168528171f402fbe1169908cbf31e02c37dbb2435c866621e
Instruction Fuzzy Hash: 19517760D0C6D8CDFB12C6688C597CEBEB11B27348F4841C8D18C7A292C7BB1689CB76

Function 10001A5A Relevance: 45.6, APIs: 6, Strings: 20, Instructions: 104libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10001A68
LoadLibraryA.KERNEL32(00000000), ref: 10001A85
GetProcAddress.KERNEL32(?,00000000), ref: 10001AEB
WriteProcessMemory.KERNEL32(000000FF,00000000,00000033,00000005,?), ref: 10001B1E
GetProcAddress.KERNEL32(?,00000000), ref: 10001B81
WriteProcessMemory.KERNEL32(000000FF,00000000,00000033,00000005,?), ref: 10001BB4

Strings

s, xrefs: 10001AB6
E, xrefs: 10001ACE
R, xrefs: 10001AA2
4, xrefs: 10001B06
, xrefs: 10001AD6
c, xrefs: 10001A9E
E, xrefs: 10001AA6
V, xrefs: 10001AC2
T, xrefs: 10001AAE
E, xrefs: 10001AB2
R, xrefs: 10001ABE
a, xrefs: 10001AD2
m, xrefs: 10001B2C
3, xrefs: 10001AFA
3, xrefs: 10001B90
E, xrefs: 10001ABA
I, xrefs: 10001AC6
4, xrefs: 10001B9C
C, xrefs: 10001ACA
A, xrefs: 10001AAA

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressMemoryProcProcessWrite$HandleLibraryLoadModule
String ID: $3$3$4$4$A$C$E$E$E$E$I$R$R$T$V$a$c$m$s
API String ID: 756567434-2756889688
Opcode ID: 2cfb8028a8d18eeeecad93b1b11854b2ac8ec88e3b213fc01f2c2c404b980732
Instruction ID: cfe7ae8f554539807d6733649d24731fd10262907a3c8d5ef0d048077f1ef90e
Opcode Fuzzy Hash: 2cfb8028a8d18eeeecad93b1b11854b2ac8ec88e3b213fc01f2c2c404b980732
Instruction Fuzzy Hash: DE510A60C087C9DAEB12C7FC9848BCEBFB45B26328F084348E1A47B2D6D3A94545C776

Function 10008974 Relevance: 44.0, APIs: 3, Strings: 22, Instructions: 273COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000001), ref: 1000897D
SizeofResource.KERNEL32(?,00000000), ref: 100089A4
LoadResource.KERNEL32(?,00000000), ref: 100089B8

Strings

l, xrefs: 10008BBB
S, xrefs: 10008B97
A, xrefs: 10008B63
%, xrefs: 10008B9B
w, xrefs: 10008AE3
j, xrefs: 10008BC3
<, xrefs: 10008BFB
d, xrefs: 10008B07
s, xrefs: 10008C03
{, xrefs: 10008BEF
", xrefs: 10008B9F
Q, xrefs: 10008B8F
|, xrefs: 10008C1F
b, xrefs: 10008AF1
W, xrefs: 10008BB3
f, xrefs: 10008B33
E, xrefs: 10008BC7
\, xrefs: 10008B93
x, xrefs: 10008AEA
q, xrefs: 10008C07
h, xrefs: 10008C0F
`, xrefs: 10008AFF

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID: "$%$<$A$E$Q$S$W$\$`$b$d$f$h$j$l$q$s$w$x${$|
API String ID: 507330600-1845518766
Opcode ID: 2a584a685d93ad1d8ed408115ea3aca1dd9cb96f47de5b84e233e59b92b93ded
Instruction ID: 697e40266fc9f2c134aad7ecdc35b070e79b0050cc1a4af9ee0ce26bd25e8e04
Opcode Fuzzy Hash: 2a584a685d93ad1d8ed408115ea3aca1dd9cb96f47de5b84e233e59b92b93ded
Instruction Fuzzy Hash: E9D16360C083C8DAEB21C7B8D844BDEBFB46F26354F184299E1987B2C7D7755648CB62

Function 10001BC1 Relevance: 38.6, APIs: 4, Strings: 18, Instructions: 90libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 10001C16
WriteProcessMemory.KERNEL32(000000FF,00000000,00000033,00000005,?), ref: 10001C49
GetProcAddress.KERNEL32(?,00000000), ref: 10001CA4
WriteProcessMemory.KERNEL32(000000FF,00000000,00000033,00000005,?), ref: 10001CD7

Strings

q, xrefs: 10001BF5
w, xrefs: 10001BF9
A, xrefs: 10001BE1
`, xrefs: 10001BE9
w, xrefs: 10001BD9
w, xrefs: 10001BE5
d, xrefs: 10001BED
3, xrefs: 10001C25
|, xrefs: 10001BDD
S, xrefs: 10001BFD
3, xrefs: 10001CB3
{, xrefs: 10001BF1
/, xrefs: 10001C8B
x, xrefs: 10001C8F
+, xrefs: 10001C6F
b, xrefs: 10001BD5
], xrefs: 10001BD1
7, xrefs: 10001C5F

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressMemoryProcProcessWrite
String ID: +$/$3$3$7$A$S$]$`$b$d$q$w$w$w$x${$|
API String ID: 3726410293-4123826176
Opcode ID: 138b313170caafbb0e5bbff21f197047dfb917f338a9fa1fdbd4be83995fdd27
Instruction ID: ad40b51b2249856820d58b7b37f1b5c2a2dd8c700d89039e6ecb3d97efc0ca23
Opcode Fuzzy Hash: 138b313170caafbb0e5bbff21f197047dfb917f338a9fa1fdbd4be83995fdd27
Instruction Fuzzy Hash: E041EE60D082CCD9EB12C7F8C448BDDBFB45B26358F18818DD1A56B2C6D3BA5609CB62

Function 1000426D Relevance: 35.3, APIs: 6, Strings: 14, Instructions: 296COMMON

Download Yara Rule

Strings

+, xrefs: 10004362
&, xrefs: 100042B2
-, xrefs: 1000436E
", xrefs: 10004517
8, xrefs: 100042BE
j, xrefs: 10004366
8, xrefs: 100042B6
#, xrefs: 1000436A
D, xrefs: 10004376
+, xrefs: 1000435A
#, xrefs: 1000435E
8, xrefs: 100042BA
(, xrefs: 10004356
", xrefs: 10004372

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID: "$"$#$#$&$($+$+$-$8$8$8$D$j
API String ID: 0-723407705
Opcode ID: 2a082d9862e438165487024fa66b0e872b735e1ec01fd07440f40a93dfcf4318
Instruction ID: dde778835347eb008614cc527c638594fb2a8506f378ed4326422950a8d5d15e
Opcode Fuzzy Hash: 2a082d9862e438165487024fa66b0e872b735e1ec01fd07440f40a93dfcf4318
Instruction Fuzzy Hash: 22C1E3B5C002889BEB14D7E4CC45BEEBB78EF14340F044598E5097B286EF756A49CBA2

Function 1000A9CE Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 270timefileCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(000000FF,?,?,?,00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?,00000000), ref: 1000AAEF
CloseHandle.KERNEL32(000000FF,?,?,?,00000000,?,?,?,?), ref: 1000AAF9
WriteFile.KERNEL32(000000FF,00000004,0000002A,?,00000000,00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 1000AB51
SetFileTime.KERNEL32(000000FF,?,?,?), ref: 1000AB6A
CloseHandle.KERNEL32(000000FF), ref: 1000AB74

Strings

*, xrefs: 1000AA45
`, xrefs: 1000AA49
p, xrefs: 1000AA51
5, xrefs: 1000A9DF
e, xrefs: 1000AA4D

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: File$CloseHandleTime$Write
String ID: *$5$`$e$p
API String ID: 364540719-3005180831
Opcode ID: aa66145bfa2c0681ed919668a74ad22571c6e6ea153da5e3c2ba92a24b35d1d2
Instruction ID: 9ac8e5729ac0f084531a52e1b8c0c23e53f35f4596b280bb9a3513ac92dead5e
Opcode Fuzzy Hash: aa66145bfa2c0681ed919668a74ad22571c6e6ea153da5e3c2ba92a24b35d1d2
Instruction Fuzzy Hash: A3A152759002489AFB15EBA4CC96FEE7B3CEF14340F408958F51A76196EF30AA45CBA1

Function 10003F37 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 114libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10003FB1
LoadLibraryA.KERNEL32(00000000), ref: 10003FCD
GetProcAddress.KERNEL32(?,00000000), ref: 10003FE7
GetCurrentThreadId.KERNEL32 ref: 10003FF0

Strings

x, xrefs: 10003F8C
b, xrefs: 10003F9C
<, xrefs: 10003F40
y, xrefs: 10003F88
u, xrefs: 10003F84
u, xrefs: 10003F98
x, xrefs: 10003F90
s, xrefs: 10003F94

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressCurrentHandleLibraryLoadModuleProcThread
String ID: <$b$s$u$u$x$x$y
API String ID: 1227477173-1608725744
Opcode ID: 3e7a82787ced7735ce029ed9a461b4b2b3090f4cbb6649259c4ba20726064426
Instruction ID: 33ff40ab1d131e30287cb64b03bcfa2079c32daa297a7db5e7cafda79f5c2fcc
Opcode Fuzzy Hash: 3e7a82787ced7735ce029ed9a461b4b2b3090f4cbb6649259c4ba20726064426
Instruction Fuzzy Hash: CB41A761C083C999EB11CBF8C849BEEBF749F1A254F044698E5A4B72C2D7795205C7B2

Function 10004AA9 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 466COMMON

Download Yara Rule

Strings

, xrefs: 10004F49
!, xrefs: 10004F41

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID: $!
API String ID: 0-2056089098
Opcode ID: b326289dc89059ba0ea4d12b0711c03597ab740b3afaef9a58047e8eb829b844
Instruction ID: 38a493ceaeaaf12bd6114039ea703b71470109976f11036ac34955238d57f70a
Opcode Fuzzy Hash: b326289dc89059ba0ea4d12b0711c03597ab740b3afaef9a58047e8eb829b844
Instruction Fuzzy Hash: E62248B4D001589BEB28CB68CC95BDDB7B2EF48340F1481D9E50DAB246DB31AE85CF65

Function 00407764 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0040777C
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407788
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407797
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004077A3
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004077BB
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004077DF

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 00407792
MouseZ, xrefs: 00407777
MSH_SCROLL_LINES_MSG, xrefs: 0040779E
Magellan MSWHEEL, xrefs: 00407772
MSWHEEL_ROLLMSG, xrefs: 00407783

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 46a9f3e509111ab9809b85df57fcccb564169654f5328c36d85b0e8ae301a41f
Instruction ID: ba8f654debf8eb3512711421a0d23636ef6fb32deafc715d0e5f331a0b1b8180
Opcode Fuzzy Hash: 46a9f3e509111ab9809b85df57fcccb564169654f5328c36d85b0e8ae301a41f
Instruction Fuzzy Hash: F4112471A48341AFE710AF55CC81F66BB98EF44750F20847AB9446B3C1D6B87C40CBAA

Function 1000A44C Relevance: 15.4, APIs: 10, Instructions: 380fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 1000A5CC
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 1000A5E4
GetTickCount.KERNEL32 ref: 1000A693
WriteFile.KERNEL32(000000FF,?,?,00000000,00000000), ref: 1000A708
CloseHandle.KERNEL32(000000FF), ref: 1000A712
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,1002174C,00000104), ref: 1000A78A

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: File$AttributesByteCharCloseCountCreateDirectoryHandleMultiTickWideWrite
String ID:
API String ID: 2963317036-0
Opcode ID: 11b363bedbc0463798f619ac318b01a144feb87d1ddd9a4ae8ad973868246fe8
Instruction ID: 6622efe6a7c4ef8df84fe9feeecbc3f3fe37281f61cb7300f0988ebd6e412655
Opcode Fuzzy Hash: 11b363bedbc0463798f619ac318b01a144feb87d1ddd9a4ae8ad973868246fe8
Instruction Fuzzy Hash: B7E10475D102489AFB10DBA4CC46FED7779EF54380F4486A8F109771C6EB74AA85CB22

Function 10007DEC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10007DFD
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 10007E8D
CloseHandle.KERNEL32(00000000), ref: 10007FEE

Strings

h, xrefs: 10007E2C
j, xrefs: 10007E40
h, xrefs: 10007E10
j, xrefs: 10007E24
h, xrefs: 10007E48

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AllocCloseHandleOpenProcessVirtual
String ID: h$h$h$j$j
API String ID: 754910816-3342286319
Opcode ID: 913cfa3d866773e2a2ed193946acc47d92da95edee84c7a04ca9d3a50713b3e4
Instruction ID: 289640527b795e8e78cbe4f788b6ae0a558b91ed9720cc56faf84fb20943ca64
Opcode Fuzzy Hash: 913cfa3d866773e2a2ed193946acc47d92da95edee84c7a04ca9d3a50713b3e4
Instruction Fuzzy Hash: 2051F975D00288EFEB05CBA4D895FEEBBB5AF19304F148198E1017B382D3769609CBB5

Function 10008017 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowsleepCOMMON

Download Yara Rule

APIs

_rand.LIBCMT ref: 10008033
_rand.LIBCMT ref: 10008043
_rand.LIBCMT ref: 10008053
PostMessageA.USER32(?,?,?,?), ref: 10008073
Sleep.KERNEL32(000000C8), ref: 10008080
IsWindow.USER32(?), ref: 1000808A
PostMessageA.USER32(?,00000064,00000000,00000000), ref: 100080B8

Strings

d, xrefs: 100080A6

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: _rand$MessagePost$SleepWindow
String ID: d
API String ID: 390989685-2564639436
Opcode ID: 76cf03ca70b09789d4017d4a1953b19f5fcc4e017528165237ca35113cce41e1
Instruction ID: 72db5d6d3c14764c2f1263f99887a8bc7eb2128efdf1fd91c15336e0f9c52c8c
Opcode Fuzzy Hash: 76cf03ca70b09789d4017d4a1953b19f5fcc4e017528165237ca35113cce41e1
Instruction Fuzzy Hash: 07118EB9A05208EBEB04CFA4C895B9DB7B1FF88340F10C599F605DB251C635DA449B60

Function 10019F40 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,10016BB2,?,Microsoft Visual C++ Runtime Library,00012010,?,1001C774,?,1001C7C4,?,?,?,Runtime Error!Program: ), ref: 10019F52
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 10019F6A
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 10019F7B
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 10019F88

Strings

MessageBoxA, xrefs: 10019F64
user32.dll, xrefs: 10019F4D
GetActiveWindow, xrefs: 10019F75
GetLastActivePopup, xrefs: 10019F7D

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 9bb47299df42860bad1c65134ab3767e55d8174c8aad63c1ce290f84051ca8ee
Instruction ID: 712b221e2c1690d5ed6358eefcf3477377f41dd8c94e1c720ccffffb55dae85a
Opcode Fuzzy Hash: 9bb47299df42860bad1c65134ab3767e55d8174c8aad63c1ce290f84051ca8ee
Instruction Fuzzy Hash: DC011A31609325BEE740DFB98CC4D6A3AE9EB88691731443DE605DA121FF72D8829B60

Function 10014784 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,1001C384,00000001,00000000,00000000,774CE860,10026088,00000000,?,?,?,?,10001FEC,00000000), ref: 100147C6
LCMapStringA.KERNEL32(00000000,00000100,1001C380,00000001,00000000,00000000,?,?,?,10001FEC,00000000), ref: 100147E2
LCMapStringA.KERNEL32(00000000,10001FEC,?,?,?,?,774CE860,10026088,00000000,?,?,?,?,10001FEC,00000000), ref: 1001482B
MultiByteToWideChar.KERNEL32(00000000,10026089,?,?,00000000,00000000,774CE860,10026088,00000000,?,?,?,?,10001FEC,00000000), ref: 10014863
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,10001FEC,00000000), ref: 100148BB
LCMapStringW.KERNEL32(00000000,10001FEC,00000000,00000000,00000000,00000000,?,?,?,10001FEC,00000000), ref: 100148D1
LCMapStringW.KERNEL32(00000000,10001FEC,00000000,00000000,?,?,?,?,?,10001FEC,00000000), ref: 10014904
LCMapStringW.KERNEL32(00000000,10001FEC,00000000,00000000,?,00000000,?,?,?,10001FEC,00000000), ref: 1001496C

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: d36b137f33267c043f39a8dbc9923c682399acf478bbd3179ea48cafc847e2de
Instruction ID: 6511a382c912848e6ac98b9d767bc157387f95797aafcdee9e9fa81957444595
Opcode Fuzzy Hash: d36b137f33267c043f39a8dbc9923c682399acf478bbd3179ea48cafc847e2de
Instruction Fuzzy Hash: F1515B7190025AAFDF12CF94CC85E9F7BB9FB49B90F214115F915AA160C732CD90EB61

Function 1000D49E Relevance: 13.7, APIs: 9, Instructions: 162memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,000000F8,00000040,?), ref: 1000D4D1
VirtualProtect.KERNEL32(?,000000F8,?,?), ref: 1000D51B
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 1000D541
WriteProcessMemory.KERNEL32(000000FF,?,?,?,?), ref: 1000D566
VirtualProtect.KERNEL32(?,?,?,?), ref: 1000D6B8
GetProcessHeap.KERNEL32(00000001,?), ref: 1000D6C4
HeapFree.KERNEL32(00000000), ref: 1000D6CB
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000D6E1
SetLastError.KERNEL32(00000000), ref: 1000D709

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ProtectVirtual$HeapProcess$ErrorFileFreeLastMemoryModuleNameWrite
String ID:
API String ID: 1576130627-0
Opcode ID: e48b9a492583263708a67e167b2ef98b891b4f28ab3cb69d91b534f9a41c9ec8
Instruction ID: 1dc0e754acabc390e9bfbac236aa232de6eb276334465b9c75294942c2cdec66
Opcode Fuzzy Hash: e48b9a492583263708a67e167b2ef98b891b4f28ab3cb69d91b534f9a41c9ec8
Instruction Fuzzy Hash: 7981F3B59002299FDB18CF58CC81FD9B7B5FF49314F0481D9EA49AB241D670AE90CFA0

Function 10016A8E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,10011E5A), ref: 10016AFB
GetStdHandle.KERNEL32(000000F4,1001C774,00000000,00000000,00000000,10011E5A), ref: 10016BD1
WriteFile.KERNEL32(00000000), ref: 10016BD8

Strings

<program name unknown>, xrefs: 10016B0B
Microsoft Visual C++ Runtime Library, xrefs: 10016BA7
Runtime Error!Program: , xrefs: 10016B61
..., xrefs: 10016B4D

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 0046527c49c7b86006d49519c778fa2c1007f9ab20481858608caf9f5409c222
Instruction ID: 98ae7400ad47273dba575284e7417d74316d9bc07541b49a9590805c9c967986
Opcode Fuzzy Hash: 0046527c49c7b86006d49519c778fa2c1007f9ab20481858608caf9f5409c222
Instruction Fuzzy Hash: BB31A472A04229AFEF20DA60CC86EDE73ADEF49344F500596F545EE040EB70EAD68F51

Function 100166A9 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1001312F), ref: 100166C4
GetEnvironmentStrings.KERNEL32(?,?,?,?,1001312F), ref: 100166D8
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,1001312F), ref: 10016704
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,1001312F), ref: 1001673C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,1001312F), ref: 1001675E
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,1001312F), ref: 10016777
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,1001312F), ref: 1001678A
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 100167C8

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 977cc51eaa545a5ad0eeddd9850708274cd30f131da46609fd683bcdcee5c484
Instruction ID: 7311bfd8dda3cd57fdfb607f1036c22790811c8a0afbe793bba5daff6579dfa8
Opcode Fuzzy Hash: 977cc51eaa545a5ad0eeddd9850708274cd30f131da46609fd683bcdcee5c484
Instruction Fuzzy Hash: 2231C4B250C2766FE711ABB44CC882EB6DCEB4E2AD7124929F952CB181E631DCC18761

Function 100096E1 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 128COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000001), ref: 1000972B

Strings

p, xrefs: 100097F6
b, xrefs: 100097FA
., xrefs: 10009802
d, xrefs: 100097EA
a, xrefs: 100097FE
?, xrefs: 100097F2
x, xrefs: 100097EE

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Read
String ID: .$?$a$b$d$p$x
API String ID: 946204249-2934605707
Opcode ID: 68652ed76ac4d8d8ec3f9c1f8174d8d77194980ee954cdd873c77b5f6f0ec699
Instruction ID: 08955c9b4ac1cf693953f320f3b5539609d415794eee07b7e5fef20275824145
Opcode Fuzzy Hash: 68652ed76ac4d8d8ec3f9c1f8174d8d77194980ee954cdd873c77b5f6f0ec699
Instruction Fuzzy Hash: 8C517C75D14188EAEB04DBE4DC81EEEBB78EF14340F048428F54577286EB75AA49CBA1

Function 1000920D Relevance: 10.8, APIs: 7, Instructions: 339fileCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000001), ref: 1000922F
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 1000938A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,10021540,00000104,?,?,?,?,00000001), ref: 100093BE

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ByteCharCopyFileMultiReadWide
String ID:
API String ID: 1453400745-0
Opcode ID: 148fb041f2f85bfcde16609aef86e5b53fcae3486bb7a87f05b7f703c5a52bba
Instruction ID: 5313af0f7624f080ba70e373a2bc2ee9b0dea30391b83c7ade08419758d990f8
Opcode Fuzzy Hash: 148fb041f2f85bfcde16609aef86e5b53fcae3486bb7a87f05b7f703c5a52bba
Instruction Fuzzy Hash: 59C15F75D001489BFB04DBE0CC92BEEBB79EF14380F548868E50676199EF35BA86CB51

Function 1001831B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000001,80000000,?,0000000C,00000001,00000080,00000000,?,00000000,00000000), ref: 100184CE
GetLastError.KERNEL32 ref: 100184DA
GetFileType.KERNEL32(00000000), ref: 100184EF
CloseHandle.KERNEL32(00000000), ref: 100184FA

Strings

@, xrefs: 10018507
H, xrefs: 10018541

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: 35711d5a3fc08896e2b7680d6d469c4c61397692fae1c8bdf5757601b9541bb1
Instruction ID: 0c2a492b3064ec65b5e77294ca452c5e8e1e339a406a6163d89371c369e337c5
Opcode Fuzzy Hash: 35711d5a3fc08896e2b7680d6d469c4c61397692fae1c8bdf5757601b9541bb1
Instruction Fuzzy Hash: 6F813671C0465AABEB21CFA4C88479E7BE1EF013A4F254219E961AF1D1DBB4CBC48B51

Function 100187DF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,1001C384,00000001,00000000,?,00000100,00000000,10019ACE,00000001,00000020,00000100,?,00000000), ref: 1001881E
GetStringTypeA.KERNEL32(00000000,00000001,1001C380,00000001,?), ref: 10018838
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,10019ACE,00000001,00000020,00000100,?,00000000), ref: 1001886C
MultiByteToWideChar.KERNEL32(10019ACE,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,10019ACE,00000001,00000020,00000100,?,00000000), ref: 100188A4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 100188FA
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 1001890C

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: ddc7f6aec35dd88b1752a05ac63d83e398efbdcf87eb4498d3db0a2a9795f805
Instruction ID: 80efe49769f9c55366b0b87d96394f5a1e97bb6fd917305025469127db8faf67
Opcode Fuzzy Hash: ddc7f6aec35dd88b1752a05ac63d83e398efbdcf87eb4498d3db0a2a9795f805
Instruction Fuzzy Hash: 49415C7290025ABFDB11DF94CC89EEE7BB9FB09264F204525FA11DA160C731DB91CBA1

Function 10009FB4 Relevance: 9.0, APIs: 6, Instructions: 37threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10009FBA
GetDesktopWindow.USER32 ref: 10009FC5
GetWindow.USER32(00000000), ref: 10009FCC
GetWindow.USER32(?,00000002), ref: 10009FE2
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 10009FF9
IsWindowVisible.USER32(00000000), ref: 1000A008

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Window$Thread$CurrentDesktopProcessVisible
String ID:
API String ID: 4188469220-0
Opcode ID: ff1fe90d3c60e525a25bfc90ed3c43d6d79c8afb4235d603b0add2491515b06e
Instruction ID: 66a71734bf6b2c9025dda973603cbe68bc7d301e2066f01206c9f5a6d3b4bffb
Opcode Fuzzy Hash: ff1fe90d3c60e525a25bfc90ed3c43d6d79c8afb4235d603b0add2491515b06e
Instruction Fuzzy Hash: 5E0119B5E0020CEBEB00DFE0C988B9D7BB8EB09381F108595E50593240D735DA44AB21

Function 10016808 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 10016827
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 1001685C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100168BC

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 10016896
__MSVCRT_HEAP_SELECT, xrefs: 10016857

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: be8fa36c8c6c7ce449380da2e9ede97b7d6262c0c96322e52423aadf451bd08d
Instruction ID: dc2ddc1df3c481c69c09107ba15e0aa1aed0b5da41c3f1abbec33f04c60deba1
Opcode Fuzzy Hash: be8fa36c8c6c7ce449380da2e9ede97b7d6262c0c96322e52423aadf451bd08d
Instruction Fuzzy Hash: 11310976D052996FEB21C6B05C91BDD37ECDB0A298F2040D5D545DE082EA30DFCACB21

Function 100134B1 Relevance: 7.8, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec80482876cbbfea10ac558f9ecc343b29c2d10e4ae21978737ec7475eb4ae6
Instruction ID: 8d3d557cf0c6aec5b3d5c0c3ea12377d7f55ab9f6b83c53f50cdda6170313262
Opcode Fuzzy Hash: aec80482876cbbfea10ac558f9ecc343b29c2d10e4ae21978737ec7475eb4ae6
Instruction Fuzzy Hash: 5991F4F5D00629AADB11DB68CC859DE7BB9EB096A0F208225F858BE191D731DDC08B60

Function 10016193 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 100161F1
GetFileType.KERNEL32(00000480), ref: 1001629C
GetStdHandle.KERNEL32(-000000F6), ref: 100162FF
GetFileType.KERNEL32(00000000), ref: 1001630D
SetHandleCount.KERNEL32 ref: 10016344

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: afbf0a58576d9836c3fb28c172e8f5e010b5c3f6d37731d462276d3656857e49
Instruction ID: 0f89c194aee37fe9091bac8226edfe15fd3f78554569c19e26152e2790274208
Opcode Fuzzy Hash: afbf0a58576d9836c3fb28c172e8f5e010b5c3f6d37731d462276d3656857e49
Instruction Fuzzy Hash: 5D51E4719046568FE710CB68CCC8B593BE4FB0A364F26466CD8A2DF2E1D730D986D750

Function 10017728 Relevance: 7.6, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00002020,1001ED80), ref: 10017749
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,10011E5A,10017BF4,00000000,00000010,00000000,00000009,00000009,?,100139B8,00000010,00000000), ref: 1001776D
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,10011E5A,10017BF4,00000000,00000010,00000000,00000009,00000009,?,100139B8,00000010,00000000), ref: 10017787
VirtualFree.KERNEL32(00000000,00000000,00008000,?,10011E5A,10017BF4,00000000,00000010,00000000,00000009,00000009,?,100139B8,00000010,00000000,10011E5A), ref: 10017848
HeapFree.KERNEL32(00000000,00000000,?,10011E5A,10017BF4,00000000,00000010,00000000,00000009,00000009,?,100139B8,00000010,00000000,10011E5A,00000000), ref: 1001785F

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Virtual$AllocFreeHeap$Allocate
String ID:
API String ID: 3000792370-0
Opcode ID: 1317f6bf94321ac5039d2f6573fe4650433641b9730bbf980a711bc8cf4adbd4
Instruction ID: 5c6769bfca1cabdf35cebd79bb49ef2a9f463615a42f930bcb70ae22a3bf3036
Opcode Fuzzy Hash: 1317f6bf94321ac5039d2f6573fe4650433641b9730bbf980a711bc8cf4adbd4
Instruction Fuzzy Hash: 3031EF70680756AFE321CF24DC89B19BBF4FB45B94F118639E1699B2D0EB70E880CB44

Function 100080FF Relevance: 7.5, APIs: 5, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10008116
TerminateProcess.KERNEL32(00000000,00000000), ref: 1000812B
EnumWindows.USER32(Function_000080C7,00000000), ref: 10008151
Sleep.KERNEL32(000001F4), ref: 1000815C
Sleep.KERNEL32(00000064), ref: 10008164

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ProcessSleep$EnumOpenTerminateWindows
String ID:
API String ID: 3901766475-0
Opcode ID: 2653f1ba7b2de7905fe63a1328049569b8a04220ea8ce2a82db5d470f9a21bfe
Instruction ID: dcf86fc1c2a68d389fcba1d0a34524ab1569834cb49bc94813606b19601f9b6a
Opcode Fuzzy Hash: 2653f1ba7b2de7905fe63a1328049569b8a04220ea8ce2a82db5d470f9a21bfe
Instruction Fuzzy Hash: 5401D635A41258BBF300EBE08C4EFAD7B78EF05742F508154F641571C5D6729A418761

Function 100142BD Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10011EA1,?,10011E5A), ref: 100142BF
TlsGetValue.KERNEL32(?,?,10011EA1,?,10011E5A), ref: 100142CD
SetLastError.KERNEL32(00000000,?,?,10011EA1,?,10011E5A), ref: 10014319

Part of subcall function 100143C4: RtlAllocateHeap.NTDLL(00000008,10011E5A,00000000), ref: 100144BA

TlsSetValue.KERNEL32(00000000,?,?,10011EA1,?,10011E5A), ref: 100142F1
GetCurrentThreadId.KERNEL32 ref: 10014302

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread
String ID:
API String ID: 2047054392-0
Opcode ID: c5ce56e29ce2c7df3e2112a8290a8917a7478a1b086b89ada8db33f67a1db6b8
Instruction ID: baf11ef6314a733a67745f96bc4843d6e450a6e67434720a7bbf7ddb0416c940
Opcode Fuzzy Hash: c5ce56e29ce2c7df3e2112a8290a8917a7478a1b086b89ada8db33f67a1db6b8
Instruction Fuzzy Hash: F1F02B36640331ABE2216B309C49A0E3BA0EF05BB17134514F9549A1F1CF30D8C186D0

Function 100146A2 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(00000000), ref: 100146D6

Part of subcall function 10013264: HeapFree.KERNEL32(00000000,00000000,00000000,10011E5A,00000000,?,1001447A,00000009,00000000,00000000,?,?,10011EA1,?,10011E5A), ref: 10013338

RtlDeleteCriticalSection.NTDLL(?), ref: 100146F1
RtlDeleteCriticalSection.NTDLL ref: 100146F9
RtlDeleteCriticalSection.NTDLL ref: 10014701
RtlDeleteCriticalSection.NTDLL ref: 10014709

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 18c0d9f19bdc8b801751fa9d754d1e20aa617660488453b16896868d3e2217f0
Instruction ID: d55dec6e7418e8cf56874f5e114f38f24bf6db44f7b4a9bd8a2d72889dd62492
Opcode Fuzzy Hash: 18c0d9f19bdc8b801751fa9d754d1e20aa617660488453b16896868d3e2217f0
Instruction Fuzzy Hash: F3F0FE7A8002F466EE60FB2DEC8988D7AD5DB813943474073E8597A270CD36DCC1AE93

Function 10017EF5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 1001470E: RtlInitializeCriticalSection.NTDLL(00000000), ref: 1001474B
Part of subcall function 1001470E: RtlEnterCriticalSection.NTDLL(10011E5A), ref: 10014766

RtlInitializeCriticalSection.NTDLL(00000068), ref: 10017F48
RtlEnterCriticalSection.NTDLL(00000068), ref: 10017F5D
RtlLeaveCriticalSection.NTDLL(00000068), ref: 10017F6A

Strings

, xrefs: 10017F9E

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: 9c22dae6cc54d1c18cf2a1881882c6c8428f89c1f0811a5b2bd243d9fab75971
Instruction ID: 6ef4b17566e82d1d9c89d4f2e07564b769f87814507a5fe567181068abfd3b15
Opcode Fuzzy Hash: 9c22dae6cc54d1c18cf2a1881882c6c8428f89c1f0811a5b2bd243d9fab75971
Instruction Fuzzy Hash: F4311E721053458FE314CF20DC88B4A77E4FB85328F268A2DF66A8F1D1DB70E9898751

Function 10014BC2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1001267E), ref: 10014BC7
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 10014BD7

Strings

IsProcessorFeaturePresent, xrefs: 10014BD1
KERNEL32, xrefs: 10014BC2

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f438bc2824015786c8322c3c982dd74fad5bb25ef5aefd6bb00551df9b3494b1
Instruction ID: ecf34e8fb414ecafba3c9d0f9ca35046255810938e54917a367b50dc2acdbc70
Opcode Fuzzy Hash: f438bc2824015786c8322c3c982dd74fad5bb25ef5aefd6bb00551df9b3494b1
Instruction Fuzzy Hash: E6C0122068C20AAAEA60DBA10C88F992188DB84682F428014A919EC0A0DF30C5809121

Function 1001A0EE Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 1001A168
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000040), ref: 1001A172
ReadFile.KERNEL32(?,?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00000040), ref: 1001A238
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000040), ref: 1001A242

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: fa8a34b1c95c8f558b5ef233bce762404d57b81ac45ac34bd91910f6d3218ca6
Instruction ID: c97b55b41a2134303f54a2e79221e1239eea105ad0fc14d5cf7afb5f5831ce2c
Opcode Fuzzy Hash: fa8a34b1c95c8f558b5ef233bce762404d57b81ac45ac34bd91910f6d3218ca6
Instruction Fuzzy Hash: 7F519C34A04289AFDB22CFA8C880B9D7BF0EF07394F114499E8658F256C775DAC1CB51

Function 100048C8 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc1584878c52e42eedf417549557393498b0f1fba9fabf17cc9982d8e3fef95
Instruction ID: 7fd3caaa0c8735fa156ef58f16e42b1b819c6edae53977ad4732a8f5661a72aa
Opcode Fuzzy Hash: 7fc1584878c52e42eedf417549557393498b0f1fba9fabf17cc9982d8e3fef95
Instruction Fuzzy Hash: 0A510AB4D042889BEF04DBF4DC81BEEBBB4EF44380F148418F519AB249DB30A945CB95

Function 10013DF0 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,100185AA,00000000,00001000), ref: 10013EB7

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2c9a466c8644a6161075460cab3ac862f071b8edf59141906b0d5ac62503b907
Instruction ID: 81512a328ef80645aaa2c24cbce7a2567d8d456d63b51b19e8ca1c1534bd4a6b
Opcode Fuzzy Hash: 2c9a466c8644a6161075460cab3ac862f071b8edf59141906b0d5ac62503b907
Instruction Fuzzy Hash: 23515971A00258EFDB12CFA8C984A9D7BF5FF45390F21C1A9E8199F2A1D770DA85CB50

Function 10007C9B Relevance: 6.1, APIs: 4, Instructions: 70processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10007CC2
Process32First.KERNEL32(000000FF,00000128), ref: 10007CF3
Process32Next.KERNEL32(?,?), ref: 10007D67
CloseHandle.KERNEL32(000000FF,00000002,00000000), ref: 10007DAD

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b54e942313e69b09f6dc935b109c7abda1b7ec0cf5d1d5ac743e452ed8de97b3
Instruction ID: 5b7634256d702fa112243bf971cbcd73c446e20312ca85d805dddcbd3fe03f12
Opcode Fuzzy Hash: b54e942313e69b09f6dc935b109c7abda1b7ec0cf5d1d5ac743e452ed8de97b3
Instruction Fuzzy Hash: 3B219C75D001688AEB25CB60CC51BEEB3B9FF4C350F0005E9E64DA6185DB38AF908F50

Function 1001B608 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,10018947), ref: 1001B637
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,10018947), ref: 1001B64A
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,10018947), ref: 1001B696
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,10018947), ref: 1001B6AE

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 6d6723fc4f7e1aa026703879498489edced362beb76acae3a9dd45e8ebc8106d
Instruction ID: 3c791e5db717dc5f8eb7c9a0d518060fc5ad1f6e6c2c6b2207ffa5bebcf435df
Opcode Fuzzy Hash: 6d6723fc4f7e1aa026703879498489edced362beb76acae3a9dd45e8ebc8106d
Instruction Fuzzy Hash: 56210732900659EBDF21CF94CD859DEBFB5FB49390F114125FA10A6160C3369DA1DB90

Function 10017286 Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000050,00000000,00000000), ref: 100172AE
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000), ref: 100172E2
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 100172FC
HeapFree.KERNEL32(00000000,?), ref: 10017313

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Heap$Allocate$AllocFreeVirtual
String ID:
API String ID: 94566200-0
Opcode ID: f5781a85d2bc2be02f0326631f6c7da3a3b0202bb834cceb6cd5b36444548361
Instruction ID: 81c1aadd834f9d9ea75d6cccb01390e98c0b6a28ff94c40b486f444d783b1c84
Opcode Fuzzy Hash: f5781a85d2bc2be02f0326631f6c7da3a3b0202bb834cceb6cd5b36444548361
Instruction Fuzzy Hash: 10116A30200261AFE360CF19CDC5D167BB6FB853667604929F66ACA1B0D372D886CF04

Function 10014679 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(?), ref: 10014686
RtlInitializeCriticalSection.NTDLL ref: 1001468E
RtlInitializeCriticalSection.NTDLL ref: 10014696
RtlInitializeCriticalSection.NTDLL ref: 1001469E

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 6d4efbb0744ee1c10942554acd1f197b4d45c8ec9ef45817c243cf8230d096f0
Instruction ID: cc55063fc7b5a48fa10e0a667aa9f0d9132b8b72e118f3a5e57df1b375cb6049
Opcode Fuzzy Hash: 6d4efbb0744ee1c10942554acd1f197b4d45c8ec9ef45817c243cf8230d096f0
Instruction Fuzzy Hash: C7C002318001B8DAEA122B99DE8688D3FA5EB043603098063E10C51070CE319C10EFC1

Function 00407696 Relevance: 6.0, APIs: 4, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040769B
GlobalUnlock.KERNEL32(00000000), ref: 004076A2
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 004076A7
GlobalLock.KERNEL32(00000000), ref: 004076AD

Memory Dump Source

Source File: 00000000.00000002.1446181015.0000000000406000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1446165688.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446181015.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000486000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1446216712.0000000000488000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2hp5ee36OS.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: 02361587569a7108faf9e0f0362d490eb3e06f259ceec45f1f04d6c7085ace01
Instruction ID: 3807b3356794369132dc4f3bb2ce9b8ce45a2f9ffab1771cbffe330104e2b1d3
Opcode Fuzzy Hash: 02361587569a7108faf9e0f0362d490eb3e06f259ceec45f1f04d6c7085ace01
Instruction Fuzzy Hash: 55B008C49182113DF90873B64D0AD3B14ACD980618382896E7586F2582D87D9825513A

Function 10019A2F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 10019A43

Strings

, xrefs: 10019A68
, xrefs: 10019A8C

Memory Dump Source

Source File: 00000000.00000002.1446633807.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1446621793.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001001E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010020000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.0000000010025000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446633807.000000001002B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446721402.000000001002D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1446738202.000000001002F000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_2hp5ee36OS.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 83ac7559cc8ca374af63d89acc339386a51df988279e7b2339a052840e1e004a
Instruction ID: 3be436be159b28ec87dcb6c4778e46b1c8b46ca02f132deca1f07cf7560c732d
Opcode Fuzzy Hash: 83ac7559cc8ca374af63d89acc339386a51df988279e7b2339a052840e1e004a
Instruction Fuzzy Hash: 30414C315082A85FEB25CA54DEC9BEA7F9DDB05741F2000F5D586DF092C372DA84DBA2

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2hp5ee36OS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Common Files\System\symsrv.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
2hp5ee36OS.exe

Function 1000C855 Relevance: 55.0, APIs: 23, Strings: 8, Instructions: 730
sleepthreadCOMMON

Function 1000C20F Relevance: 50.9, APIs: 3, Strings: 26, Instructions: 108
libraryCOMMON

Function 1000AFBB Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178
fileCOMMON

Function 1000D737 Relevance: 10.7, APIs: 7, Instructions: 226
memorysleepCOMMON

Function 1000469C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
libraryloaderCOMMON

Function 10018956 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
timeCOMMON

Function 00406050 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
libraryCOMMON

Function 100021DD Relevance: 133.2, APIs: 6, Strings: 70, Instructions: 201
libraryloaderinjectionCOMMON

Function 100098E5 Relevance: 91.4, APIs: 12, Strings: 40, Instructions: 395
libraryloaderCOMMON

Function 10009C4C Relevance: 42.2, APIs: 3, Strings: 21, Instructions: 185
injectionlibraryloaderCOMMON

Function 1001B44D Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Function 1000DB11 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127
sleepCOMMON

Function 100169AD Relevance: 9.1, APIs: 6, Instructions: 56
memoryCOMMON

Function 1002DF80 Relevance: 6.2, APIs: 4, Instructions: 189
COMMON

Function 00483364 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 104
COMMON