Edit tour

Windows Analysis Report
test.exe

Overview

General Information

Sample name:	test.exe
Analysis ID:	1580606
MD5:	57bd4f73690590693b5b921f29679410
SHA1:	c2cb47bf602541043589e979f21c3d7c1698e3ac
SHA256:	8a3de78cf177be4c37c1525becf05af336c1dc2a4d181cae79f6903754902efa
Tags:	DarkCometexemalwaretrojanuser-Joker
Infos:

Detection

DarkComet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DarkComet

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes

Contains functionality to register a low level keyboard hook

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Disable Task Manager(disabletaskmgr)

Disables UAC (registry)

Disables the Windows task manager (taskmgr)

Disables windows user account control

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: New RUN Key Pointing to Suspicious Folder

Uses cmd line tools excessively to alter registry or file data

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to delete services

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality to upload files via FTP

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

test.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\test.exe" MD5: 57BD4F73690590693B5B921F29679410)

cmd.exe (PID: 3840 cmdline: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\test.exe" +s +h MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 5064 cmdline: attrib "C:\Users\user\Desktop\test.exe" +s +h MD5: 0E938DD280E83B1596EC6AA48729C2B0)

cmd.exe (PID: 6640 cmdline: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 2428 cmdline: attrib "C:\Users\user\Desktop" +s +h MD5: 0E938DD280E83B1596EC6AA48729C2B0)

ChromeCookie.exe (PID: 6484 cmdline: "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe" MD5: 57BD4F73690590693B5B921F29679410)

iexplore.exe (PID: 2616 cmdline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)

explorer.exe (PID: 5044 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)

notepad.exe (PID: 7172 cmdline: notepad MD5: E92D3A824A0578A50D2DD81B5060145F)

ChromeCookie.exe (PID: 7320 cmdline: "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe" MD5: 57BD4F73690590693B5B921F29679410)

ChromeCookie.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe" MD5: 57BD4F73690590693B5B921F29679410)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkComet	DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.	APT33 Lazarus Group Operation C-Major	http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/ https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet

Malware Configuration

Threatname: DarkComet

{"MUTEX": "RO_MUTEX-8HU43EZ", "SID": "GoogleDebugger", "FWB": "1", "NETDATA": ["147.185.221.24:14161"], "GENCODE": "WN0BLB8aPxBw", "INSTALL": "1", "COMBOPATH": "10", "EDTPATH": "ChromeCookies\\ChromeCookie.exe", "KEYNAME": "GoogleDebugJ", "EDTDATE": "16/04/2007", "PERSINST": "1", "MELT": "0", "CHANGEDATE": "1", "DIRATTRIB": "6", "FILEATTRIB": "6", "SH3": "1", "SH6": "1", "CHIDEF": "1", "CHIDED": "1", "PERS": "1", "OFFLINEK": "1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
test.exe	ProjectM_DarkComet_1	Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157	Florian Roth	0x15051:$x1: DarkO\_2 0x3eaa6:$a1: AVICAP32.DLL 0x4e7:$a2: IDispatch4 0x33f6b:$a3: FLOOD/ 0x33def:$a4: T<-/HTTP:// 0x33820:$a5: infoes

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	ProjectM_DarkComet_1	Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157	Florian Roth	0x15051:$x1: DarkO\_2 0x3eaa6:$a1: AVICAP32.DLL 0x4e7:$a2: IDispatch4 0x33f6b:$a3: FLOOD/ 0x33def:$a4: T<-/HTTP:// 0x33820:$a5: infoes

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2137622893.00000000022FB000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x438:$a: #BEGIN DARKCOMET DATA -- 0x7b8:$a: #BEGIN DARKCOMET DATA -- 0x5c1:$b: #EOF DARKCOMET DATA -- 0x941:$b: #EOF DARKCOMET DATA --
0000000E.00000002.2218818182.000000000232B000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x438:$a: #BEGIN DARKCOMET DATA -- 0x7b8:$a: #BEGIN DARKCOMET DATA -- 0x5c1:$b: #EOF DARKCOMET DATA -- 0x941:$b: #EOF DARKCOMET DATA --
00000008.00000002.3265409763.0000000002381000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xff8:$a: #BEGIN DARKCOMET DATA -- 0x1070:$a: #BEGIN DARKCOMET DATA -- 0xf30:$b: #EOF DARKCOMET DATA --
00000000.00000002.2021478489.000000000235B000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x438:$a: #BEGIN DARKCOMET DATA -- 0x7b8:$a: #BEGIN DARKCOMET DATA -- 0x5c1:$b: #EOF DARKCOMET DATA -- 0x941:$b: #EOF DARKCOMET DATA --
00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xa68:$k2: #KCMDDC51#-890
00000008.00000002.3265409763.00000000022D3000.00000004.00001000.00020000.00000000.sdmp	ProjectM_DarkComet_1	Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157	Florian Roth	0x158e9:$x1: DarkO\_2 0x3f33e:$a1: AVICAP32.DLL 0xd7f:$a2: IDispatch4 0x34803:$a3: FLOOD/ 0x34687:$a4: T<-/HTTP:// 0x340b8:$a5: infoes
0000000C.00000002.2137622893.0000000002351000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xf08:$a: #BEGIN DARKCOMET DATA -- 0xf30:$a: #BEGIN DARKCOMET DATA -- 0xf80:$b: #EOF DARKCOMET DATA --
00000000.00000002.2021478489.00000000023B1000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x1098:$a: #BEGIN DARKCOMET DATA -- 0x1048:$b: #EOF DARKCOMET DATA --
0000000E.00000002.2218818182.0000000002381000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xf08:$a: #BEGIN DARKCOMET DATA -- 0xf30:$a: #BEGIN DARKCOMET DATA -- 0xf80:$b: #EOF DARKCOMET DATA --
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x829bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7d32d:$a2: is now open!\| 0x7cc88:$a3: ActiveOnlineKeylogger 0x7d38c:$a4: #BOT#RunPrompt 0x7c434:$a5: GETMONITORS
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7d4ac:$a1: #BOT#URLUpdate 0x7d3c5:$a2: Command successfully executed! 0x408:$b1: FastMM Borland Edition 0x2af4c:$b2: %s, ClassID: %s 0x71e28:$b3: I wasn't able to open the hosts file 0x7d2b0:$b4: #BOT#VisitUrl 0x6c1c0:$b5: #KCMDDC
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7d2c8:$bot1: #BOT#OpenUrl 0x7d344:$bot2: #BOT#Ping 0x7d38c:$bot3: #BOT#RunPrompt 0x7d44c:$bot4: #BOT#SvrUninstall 0x7d594:$bot5: #BOT#URLDownload 0x7d4ac:$bot6: #BOT#URLUpdate 0x7d2b0:$bot7: #BOT#VisitUrl 0x7d3f0:$bot8: #BOT#CloseServer 0x7d638:$ddos1: DDOSHTTPFLOOD 0x7d650:$ddos2: DDOSSYNFLOOD 0x7d668:$ddos3: DDOSUDPFLOOD 0x7cc88:$keylogger1: ActiveOnlineKeylogger 0x7ccaa:$keylogger1: ActiveOnlineKeylogger 0x7cca8:$keylogger2: UnActiveOnlineKeylogger 0x7cd04:$keylogger3: ActiveOfflineKeylogger 0x7cd26:$keylogger3: ActiveOfflineKeylogger 0x7cd24:$keylogger4: UnActiveOfflineKeylogger 0x7d930:$shell1: ACTIVEREMOTESHELL 0x7d95c:$shell2: SUBMREMOTESHELL 0x7d974:$shell3: KILLREMOTESHELL
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d4ac:$a1: #BOT#URLUpdate 0x7d3c5:$a2: Command successfully executed! 0x408:$b1: FastMM Borland Edition 0x2af4c:$b2: %s, ClassID: %s 0x71e28:$b3: I wasn't able to open the hosts file 0x7d2b0:$b4: #BOT#VisitUrl 0x6c1c0:$b5: #KCMDDC
00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	DarkComet_4	unknown	unknown	0x7d2b0:$a1: #BOT# 0x7d2c8:$a1: #BOT# 0x7d344:$a1: #BOT# 0x7d38c:$a1: #BOT# 0x7d3f0:$a1: #BOT# 0x7d44c:$a1: #BOT# 0x7d4ac:$a1: #BOT# 0x7d594:$a1: #BOT# 0x7d9cc:$a2: WEBCAMSTOP 0x7cd68:$a3: UnActiveOnlineKeyStrokes 0x7d218:$a4: #SendTaskMgr 0x7d6bc:$a5: #RemoteScreenSize 0x7c510:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: test.exe PID: 5740	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: test.exe PID: 5740	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: test.exe PID: 5740	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x196df:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x18a71:$a2: is now open!\| 0x1861a:$a3: ActiveOnlineKeylogger 0x18ae9:$a4: #BOT#RunPrompt 0x181b8:$a5: GETMONITORS
Process Memory Space: test.exe PID: 5740	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x18c57:$a1: #BOT#URLUpdate 0x18b0e:$a2: Command successfully executed! 0x18b30:$a2: Command successfully executed! 0xf502:$b1: FastMM Borland Edition 0xf51b:$b1: FastMM Borland Edition 0x11aaf:$b2: %s, ClassID: %s 0x11abf:$b2: %s, ClassID: %s 0x17896:$b3: I wasn't able to open the hosts file 0x178ee:$b3: I wasn't able to open the hosts file 0x18a32:$b4: #BOT#VisitUrl 0x16efc:$b5: #KCMDDC 0x2c581:$b5: #KCMDDC
Process Memory Space: test.exe PID: 5740	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x18a41:$bot1: #BOT#OpenUrl 0x18a7f:$bot2: #BOT#Ping 0x18a8a:$bot2: #BOT#Ping 0x18ae9:$bot3: #BOT#RunPrompt 0x18bd2:$bot4: #BOT#SvrUninstall 0x18dc2:$bot5: #BOT#URLDownload 0x18c57:$bot6: #BOT#URLUpdate 0x18a32:$bot7: #BOT#VisitUrl 0x18b50:$bot8: #BOT#CloseServer 0x18e17:$ddos1: DDOSHTTPFLOOD 0x18e26:$ddos2: DDOSSYNFLOOD 0x18e33:$ddos3: DDOSUDPFLOOD 0x1861a:$keylogger1: ActiveOnlineKeylogger 0x18632:$keylogger1: ActiveOnlineKeylogger 0x18630:$keylogger2: UnActiveOnlineKeylogger 0x18668:$keylogger3: ActiveOfflineKeylogger 0x18681:$keylogger3: ActiveOfflineKeylogger 0x1867f:$keylogger4: UnActiveOfflineKeylogger 0x18fc5:$shell1: ACTIVEREMOTESHELL 0x18fde:$shell2: SUBMREMOTESHELL 0x18fee:$shell3: KILLREMOTESHELL
Process Memory Space: test.exe PID: 5740	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x7685:$a: #BEGIN DARKCOMET DATA -- 0x2b612:$a: #BEGIN DARKCOMET DATA -- 0x780e:$b: #EOF DARKCOMET DATA -- 0x783b:$b: #EOF DARKCOMET DATA -- 0x2b5cc:$b: #EOF DARKCOMET DATA -- 0x2b5e3:$b: #EOF DARKCOMET DATA --
Process Memory Space: test.exe PID: 5740	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x18c57:$a1: #BOT#URLUpdate 0x18b0e:$a2: Command successfully executed! 0x18b30:$a2: Command successfully executed! 0xf502:$b1: FastMM Borland Edition 0xf51b:$b1: FastMM Borland Edition 0x11aaf:$b2: %s, ClassID: %s 0x11abf:$b2: %s, ClassID: %s 0x17896:$b3: I wasn't able to open the hosts file 0x178ee:$b3: I wasn't able to open the hosts file 0x18a32:$b4: #BOT#VisitUrl 0x16efc:$b5: #KCMDDC 0x2c581:$b5: #KCMDDC
Process Memory Space: test.exe PID: 5740	DarkComet_4	unknown	unknown	0x18a32:$a1: #BOT# 0x18a41:$a1: #BOT# 0x18a7f:$a1: #BOT# 0x18a8a:$a1: #BOT# 0x18ae9:$a1: #BOT# 0x18b50:$a1: #BOT# 0x18bd2:$a1: #BOT# 0x18c57:$a1: #BOT# 0x18dc2:$a1: #BOT# 0x19025:$a2: WEBCAMSTOP 0x186af:$a3: UnActiveOnlineKeyStrokes 0x189c9:$a4: #SendTaskMgr 0x189de:$a4: #SendTaskMgr 0x18e63:$a5: #RemoteScreenSize 0x18223:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: ChromeCookie.exe PID: 6484	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x1241:$a: #BEGIN DARKCOMET DATA -- 0x125a:$a: #BEGIN DARKCOMET DATA -- 0x11c9:$b: #EOF DARKCOMET DATA -- 0x2ba1:$k2: #KCMDDC51#-890 0x2bb0:$k2: #KCMDDC51#-890
Process Memory Space: ChromeCookie.exe PID: 7320	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xc:$a: #BEGIN DARKCOMET DATA -- 0x569e:$a: #BEGIN DARKCOMET DATA -- 0x195:$b: #EOF DARKCOMET DATA -- 0x1c2:$b: #EOF DARKCOMET DATA -- 0x56ce:$b: #EOF DARKCOMET DATA --
Process Memory Space: ChromeCookie.exe PID: 7520	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x26b:$a: #BEGIN DARKCOMET DATA -- 0x926a:$a: #BEGIN DARKCOMET DATA -- 0x3f4:$b: #EOF DARKCOMET DATA -- 0x421:$b: #EOF DARKCOMET DATA -- 0x929a:$b: #EOF DARKCOMET DATA --
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.test.exe.400000.0.unpack	ProjectM_DarkComet_1	Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157	Florian Roth	0x8cc51:$x1: DarkO\_2 0xb66a6:$a1: AVICAP32.DLL 0x4e7:$a2: IDispatch4 0x780e7:$a2: IDispatch4 0xabb6b:$a3: FLOOD/ 0xab9ef:$a4: T<-/HTTP:// 0xab420:$a5: infoes
0.2.test.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.test.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.2.test.exe.400000.0.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
0.2.test.exe.400000.0.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x839bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e32d:$a2: is now open!\| 0x7dc88:$a3: ActiveOnlineKeylogger 0x7e38c:$a4: #BOT#RunPrompt 0x7d434:$a5: GETMONITORS
0.2.test.exe.400000.0.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
0.2.test.exe.400000.0.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e2c8:$bot1: #BOT#OpenUrl 0x7e344:$bot2: #BOT#Ping 0x7e38c:$bot3: #BOT#RunPrompt 0x7e44c:$bot4: #BOT#SvrUninstall 0x7e594:$bot5: #BOT#URLDownload 0x7e4ac:$bot6: #BOT#URLUpdate 0x7e2b0:$bot7: #BOT#VisitUrl 0x7e3f0:$bot8: #BOT#CloseServer 0x7e638:$ddos1: DDOSHTTPFLOOD 0x7e650:$ddos2: DDOSSYNFLOOD 0x7e668:$ddos3: DDOSUDPFLOOD 0x7dc88:$keylogger1: ActiveOnlineKeylogger 0x7dcaa:$keylogger1: ActiveOnlineKeylogger 0x7dca8:$keylogger2: UnActiveOnlineKeylogger 0x7dd04:$keylogger3: ActiveOfflineKeylogger 0x7dd26:$keylogger3: ActiveOfflineKeylogger 0x7dd24:$keylogger4: UnActiveOfflineKeylogger 0x7e930:$shell1: ACTIVEREMOTESHELL 0x7e95c:$shell2: SUBMREMOTESHELL 0x7e974:$shell3: KILLREMOTESHELL
0.2.test.exe.400000.0.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
0.2.test.exe.400000.0.unpack	DarkComet_4	unknown	unknown	0x7e2b0:$a1: #BOT# 0x7e2c8:$a1: #BOT# 0x7e344:$a1: #BOT# 0x7e38c:$a1: #BOT# 0x7e3f0:$a1: #BOT# 0x7e44c:$a1: #BOT# 0x7e4ac:$a1: #BOT# 0x7e594:$a1: #BOT# 0x7e9cc:$a2: WEBCAMSTOP 0x7dd68:$a3: UnActiveOnlineKeyStrokes 0x7e218:$a4: #SendTaskMgr 0x7e6bc:$a5: #RemoteScreenSize 0x7d510:$a6: ping 127.0.0.1 -n 4 > NUL &&
0.2.test.exe.400000.0.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2bf4c:$s1: %s, ClassID: %s 0x2c218:$s2: %s, ProgID: "%s" 0x6d1c0:$s3: #KCMDDC51# 0x7e2b0:$s4: #BOT#VisitUrl 0x7e2c8:$s5: #BOT#OpenUrl 0x7e344:$s6: #BOT#Ping 0x7e38c:$s7: #BOT#RunPrompt 0x7e3f0:$s8: #BOT#CloseServer 0x7e44c:$s9: #BOT#SvrUninstall 0x7e4ac:$s10: #BOT#URLUpdate 0x7e594:$s11: #BOT#URLDownload 0x7e310:$s12: BTRESULTOpen 0x7e358:$s12: BTRESULTPing\|Respond 0x7e3a4:$s12: BTRESULTRun 0x7e40c:$s12: BTRESULTClose 0x7e468:$s12: BTRESULTUninstall\|uninstall 0x7e534:$s12: BTRESULTUpdate 0x82484:$s12: BTRESULTUDP 0x82928:$s12: BTRESULTSyn 0x83654:$s12: BTRESULTVisit 0x839bc:$s12: BTRESULTHTTP
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\test.exe, ProcessId: 5740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleDebugJ

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\test.exe, ProcessId: 5740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleDebugJ

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\system32\userinit.exe,C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\test.exe, ProcessId: 5740, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

Suricata Signatures

ETPRO MALWARE Backdoor.Win32.DarkKomet Keep-Alive

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T12:43:10.718325+0100	2809530	1	A Network Trojan was detected	192.168.2.5	49915	147.185.221.24	14161	TCP

ETPRO MALWARE DarkComet-RAT activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-25T12:41:18.326269+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49704	147.185.221.24	14161	TCP
2024-12-25T12:41:40.575762+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49711	147.185.221.24	14161	TCP
2024-12-25T12:42:02.794590+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49761	147.185.221.24	14161	TCP
2024-12-25T12:42:25.013317+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49814	147.185.221.24	14161	TCP
2024-12-25T12:42:47.326730+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49864	147.185.221.24	14161	TCP
2024-12-25T12:43:10.718325+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49915	147.185.221.24	14161	TCP
2024-12-25T12:43:11.732126+0100	2807821	1	A Network Trojan was detected	192.168.2.5	49964	147.185.221.24	14161	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: test.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 0000000C.00000002.2137622893.00000000022FB000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: DarkComet {"MUTEX": "RO_MUTEX-8HU43EZ", "SID": "GoogleDebugger", "FWB": "1", "NETDATA": ["147.185.221.24:14161"], "GENCODE": "WN0BLB8aPxBw", "INSTALL": "1", "COMBOPATH": "10", "EDTPATH": "ChromeCookies\\ChromeCookie.exe", "KEYNAME": "GoogleDebugJ", "EDTDATE": "16/04/2007", "PERSINST": "1", "MELT": "0", "CHANGEDATE": "1", "DIRATTRIB": "6", "FILEATTRIB": "6", "SH3": "1", "SH6": "1", "CHIDEF": "1", "CHIDED": "1", "PERS": "1", "OFFLINEK": "1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Virustotal: Detection: 94%			Perma Link

Multi AV Scanner detection for submitted file

Source: test.exe	Virustotal: Detection: 94%			Perma Link
Source: test.exe	ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: test.exe

Joe Sandbox ML: detected

Source: test.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0040A488 FindFirstFileA,GetLastError,	0_2_0040A488
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00406A68
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00480FEC FindFirstFileA,	0_2_00480FEC

Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Temp\ChromeCookies	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49704 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49711 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49761 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49915 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2809530 - Severity 1 - ETPRO MALWARE Backdoor.Win32.DarkKomet Keep-Alive : 192.168.2.5:49915 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49814 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49964 -> 147.185.221.24:14161
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.5:49864 -> 147.185.221.24:14161

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00473560 FtpPutFileA,

0_2_00473560

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.185.221.24:14161

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.24

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048485C InternetOpenA,InternetOpenUrlA,HttpQueryInfoA,InternetReadFile,ShellExecuteA,InternetCloseHandle,

0_2_0048485C

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\test.exe	Code function: [ESC]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [F1]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [F2]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [DEL]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [DEL]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [INS]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [SNAPSHOT]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [LEFT]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [RIGHT]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [DOWN]	0_2_004818F8
Source: C:\Users\user\Desktop\test.exe	Code function: [UP]	0_2_004818F8

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,

0_2_004818F8

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00481ED8 SetWindowsHookExA 0000000D,Function_000818F8,00000000,00000000

0_2_00481ED8

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0040838E OpenClipboard,

0_2_0040838E

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004314A0 GlobalAlloc,GlobalLock,SetClipboardData,GlobalUnlock,	0_2_004314A0
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0043181C SetClipboardData,SetClipboardData,	0_2_0043181C
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004318A0 SetClipboardData,SetClipboardData,	0_2_004318A0

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00428418 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

0_2_00428418

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_004554F4 GetMessagePos,GetKeyboardState,

0_2_004554F4

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_004818F8 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,

0_2_004818F8

Source: Yara match	File source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0048BB34 SystemParametersInfoA,		0_2_0048BB34
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00489E9C SystemParametersInfoA,		0_2_00489E9C

System Summary

Malicious sample detected (through community Yara rule)

Source: test.exe, type: SAMPLE	Matched rule: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157 Author: Florian Roth
Source: 0.0.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157 Author: Florian Roth
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 0000000C.00000002.2137622893.00000000022FB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000E.00000002.2218818182.000000000232B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.3265409763.0000000002381000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.2021478489.000000000235B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.3265409763.00000000022D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157 Author: Florian Roth
Source: 0000000C.00000002.2137622893.0000000002351000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.2021478489.00000000023B1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000E.00000002.2218818182.0000000002381000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: ChromeCookie.exe PID: 6484, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: ChromeCookie.exe PID: 7320, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: ChromeCookie.exe PID: 7520, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, type: DROPPED	Matched rule: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157 Author: Florian Roth

Yara detected DarkComet

Source: Yara match	File source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00445844 NtdllDefWindowProc_A,	0_2_00445844
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00446070 SetActiveWindow,ShowWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00446070
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004389B4 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_004389B4
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00430B10 NtdllDefWindowProc_A,	0_2_00430B10
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004556F4 SetWindowPos,NtdllDefWindowProc_A,GetCapture,	0_2_004556F4
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00463F64 NtdllDefWindowProc_A,	0_2_00463F64
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00473F34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,	0_2_00473F34
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00445F90 SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00445F90

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_004715B0 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_004715B0

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

0_2_0048A070

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00402370	0_2_00402370
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004064C0	0_2_004064C0
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0043E644	0_2_0043E644
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004389B4	0_2_004389B4
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0045EC78	0_2_0045EC78
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0046ADBC	0_2_0046ADBC
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0046797C	0_2_0046797C
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00469B90	0_2_00469B90

Source: C:\Users\user\Desktop\test.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00407B10 appears 139 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00407B08 appears 33 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 004218E4 appears 86 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00405584 appears 60 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00405530 appears 82 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 004055C8 appears 36 times
Source: C:\Users\user\Desktop\test.exe	Code function: String function: 00405864 appears 33 times

Source: test.exe	Static PE information: Resource name: RT_GROUP_CURSOR type: x86 executable (TV)
Source: ChromeCookie.exe.0.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: x86 executable (TV)

Source: test.exe, 00000000.00000002.2018776898.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName$zZ vs test.exe
Source: test.exe, 00000000.00000003.2017332967.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName$zZ vs test.exe

Source: test.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: test.exe, type: SAMPLE	Matched rule: ProjectM_DarkComet_1 date = 2016-03-26, author = Florian Roth, description = Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, reference = http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157
Source: 0.0.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ProjectM_DarkComet_1 date = 2016-03-26, author = Florian Roth, description = Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, reference = http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 0000000C.00000002.2137622893.00000000022FB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000E.00000002.2218818182.000000000232B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.3265409763.0000000002381000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000000.00000002.2021478489.000000000235B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.3265409763.00000000022D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ProjectM_DarkComet_1 date = 2016-03-26, author = Florian Roth, description = Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, reference = http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157
Source: 0000000C.00000002.2137622893.0000000002351000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000000.00000002.2021478489.00000000023B1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000E.00000002.2218818182.0000000002381000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: test.exe PID: 5740, type: MEMORYSTR	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: ChromeCookie.exe PID: 6484, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: ChromeCookie.exe PID: 7320, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: ChromeCookie.exe PID: 7520, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, type: DROPPED	Matched rule: ProjectM_DarkComet_1 date = 2016-03-26, author = Florian Roth, description = Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, reference = http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157

Source: test.exe	Static PE information: Section: UPX1 ZLIB complexity 0.9918507543103449
Source: ChromeCookie.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9918507543103449

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@21/2@0/1

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00425A70 GetLastError,FormatMessageA,

0_2_00425A70

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0048AEA8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,		0_2_0048AEA8
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0048A070 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		0_2_0048A070

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0040A746 GetDiskFreeSpaceA,

0_2_0040A746

Source: C:\Users\user\Desktop\test.exe

Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00471850

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0042C11C CoCreateInstance,

0_2_0042C11C

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048DDE0 FindResourceA,LoadResource,SizeofResource,LockResource,FreeResource,

0_2_0048DDE0

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_004714B8 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

0_2_004714B8

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

File created: C:\Users\user\AppData\Roaming\dclogs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Mutant created: \Sessions\1\BaseNamedObjects\RO_MUTEX-8HU43EZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\SysWOW64\notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\DCPERSFWBP

Source: C:\Users\user\Desktop\test.exe

File created: C:\Users\user\AppData\Local\Temp\ChromeCookies

Jump to behavior

Source: Yara match	File source: 0.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: test.exe	Virustotal: Detection: 94%
Source: test.exe	ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\test.exe

File read: C:\Users\user\Desktop\test.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\test.exe "C:\Users\user\Desktop\test.exe"
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\test.exe" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop\test.exe" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop" +s +h
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\SysWOW64\notepad.exe notepad
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\test.exe" +s +h	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop\test.exe" +s +h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop" +s +h	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\SysWOW64\notepad.exe notepad	Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00474208 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00474208

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004186D4 push ecx; mov dword ptr [esp], edx	0_2_004186D9
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0048F0AC push 0048F125h; ret	0_2_0048F11D
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0048F6D4 push 0048F761h; ret	0_2_0048F759
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00482058 push 004820C2h; ret	0_2_004820BA
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0045E078 push 0045E0DEh; ret	0_2_0045E0D6
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004220E0 push ecx; mov dword ptr [esp], ecx	0_2_004220E1
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004660F8 push 00466130h; ret	0_2_00466128
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0042E138 push 0042E170h; ret	0_2_0042E168
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004741C8 push 00474206h; ret	0_2_004741FE
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004041DC push eax; ret	0_2_00404218
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0046224C push 00462284h; ret	0_2_0046227C
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00464228 push ecx; mov dword ptr [esp], edx	0_2_00464229
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004482C4 push 0044832Eh; ret	0_2_00448326
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0041632A push 004163A2h; ret	0_2_0041639A
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0041632C push 004163A2h; ret	0_2_0041639A
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0048E3AC push 0048E3DCh; ret	0_2_0048E3D4
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0046E3A0 push 0046E3EDh; ret	0_2_0046E3E5
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004204E4 push ecx; mov dword ptr [esp], edx	0_2_004204E9
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004086CC push 0040870Eh; ret	0_2_00408706
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0044A74C push ecx; mov dword ptr [esp], edx	0_2_0044A750
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004107FC push 00410828h; ret	0_2_00410820
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0042E8B8 push 0042E8E4h; ret	0_2_0042E8DC
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00430910 push 00430970h; ret	0_2_00430968
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00422924 push 00422967h; ret	0_2_0042295F
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00418930 push ecx; mov dword ptr [esp], edx	0_2_00418935
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0044A9F0 push ecx; mov dword ptr [esp], edx	0_2_0044A9F4
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0045E988 push 0045E9B4h; ret	0_2_0045E9AC
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00418A50 push ecx; mov dword ptr [esp], edx	0_2_00418A55
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00460A20 push 00460A53h; ret	0_2_00460A4B
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00432AD0 push 00432B1Ch; ret	0_2_00432B14
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00418A94 push ecx; mov dword ptr [esp], edx	0_2_00418A99

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

File created: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\test.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserInit

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_004714B8 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

0_2_004714B8

Source: C:\Users\user\Desktop\test.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleDebugJ			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleDebugJ			Jump to behavior

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0042E370 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0042E370
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00458910 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_00458910
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_004576CC IsIconic,GetCapture,	0_2_004576CC
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0043B75C IsIconic,	0_2_0043B75C
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0043B7D8 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,	0_2_0043B7D8
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00457FD4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_00457FD4

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00460AC0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00460AC0

Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_00444A7C

Source: C:\Users\user\Desktop\test.exe

Code function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,

0_2_00471640

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Window / User API: threadDelayed 7944	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Window / User API: threadDelayed 1874	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Window / User API: threadDelayed 5005	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Window / User API: threadDelayed 4991	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-45687

Source: C:\Users\user\Desktop\test.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-45738

Source: C:\Users\user\Desktop\test.exe

API coverage: 4.8 %

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe TID: 5064	Thread sleep time: -79440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe TID: 5064	Thread sleep time: -18740000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe TID: 7180	Thread sleep time: -2502500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe TID: 7180	Thread sleep time: -2495500s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\notepad.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_0040A488 FindFirstFileA,GetLastError,	0_2_0040A488
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00406A68 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00406A68
Source: C:\Users\user\Desktop\test.exe	Code function: 0_2_00480FEC FindFirstFileA,	0_2_00480FEC

Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local\Temp\ChromeCookies	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: ChromeCookie.exe, 0000000E.00000002.2218550477.000000000067F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: ChromeCookie.exe, 00000008.00000002.3264845097.000000000066E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: ChromeCookie.exe, 00000008.00000002.3264845097.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\ z
Source: ChromeCookie.exe, 0000000C.00000002.2137375880.000000000060F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: test.exe, 00000000.00000002.2018563596.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00474208 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00474208

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00466038 FreeLibrary,VirtualFree,GetProcessHeap,HeapFree,

0_2_00466038

Source: C:\Users\user\Desktop\test.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 500000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 510000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 520000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 530000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 540000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 550000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 560000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 570000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 580000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 7B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 600000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 610000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 620000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00473F34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,TerminateProcess,

0_2_00473F34

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Thread created: C:\Windows\SysWOW64\notepad.exe EIP: 620000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 500000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 510000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 520000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 530000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 540000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 550000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 560000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 570000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 580000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 590000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5A0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5B0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5C0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 7B0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5D0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5E0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 610000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 620000	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048A218 ShellExecuteEx,

0_2_0048A218

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048B42C keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

0_2_0048B42C

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048851C socket,htons,inet_addr,gethostbyname,connect,mouse_event,shutdown,closesocket,

0_2_0048851C

Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\test.exe" +s +h	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h	Jump to behavior
Source: C:\Users\user\Desktop\test.exe	Process created: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe "C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop\test.exe" +s +h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop" +s +h	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior

Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: ChromeCookie.exe, 00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: test.exe, test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWnd
Source: test.exe, test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Progman
Source: ChromeCookie.exe, 00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerect`
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndjjh
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Progmanjhh
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ProgmanU
Source: ChromeCookie.exe, 00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ButtonShell_TrayWndj
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywndReBarWindow32jh
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywndReBarWindow32jhD
Source: test.exe, test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_traywnd
Source: test.exe, 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndPjjh

Source: C:\Users\user\Desktop\test.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00406C2C
Source: C:\Users\user\Desktop\test.exe	Code function: GetLocaleInfoA,	0_2_0048CEEC
Source: C:\Users\user\Desktop\test.exe	Code function: GetLocaleInfoA,	0_2_0040D334
Source: C:\Users\user\Desktop\test.exe	Code function: GetLocaleInfoA,	0_2_0040D380

Source: C:\Users\user\Desktop\test.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0040BCC4 GetLocalTime,

0_2_0040BCC4

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048CE74 GetUserNameA,

0_2_0048CE74

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_0048F6D4 GetVersion,

0_2_0048F6D4

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Disables windows user account control

Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Key value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: C:\Users\user\Desktop\test.exe

Code function: 0_2_00486E2C socket,htons,bind,listen,accept,LocalAlloc,CreateThread,CloseHandle,Sleep,RtlExitUserThread,

0_2_00486E2C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 LSASS Driver	1 Exploitation for Privilege Escalation	4 Disable or Modify Tools	521 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	521 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	12 Windows Service	1 DLL Side-Loading	21 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Windows Service	1 DLL Side-Loading	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test.exe	94%	Virustotal		Browse
test.exe	97%	ReversingLabs	Win32.Backdoor.Breut
test.exe	100%	Avira	BDS/Backdoor.Gen
test.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	97%	ReversingLabs	Win32.Backdoor.Breut
C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe	94%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580606
Start date and time:	2024-12-25 12:40:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@21/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 52 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:40:56	API Interceptor	479180x Sleep call for process: ChromeCookie.exe modified
06:41:29	API Interceptor	1368632x Sleep call for process: notepad.exe modified
12:41:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GoogleDebugJ C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe
12:41:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GoogleDebugJ C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	L363rVr7oL.exe	Get hash	malicious	Njrat	Browse
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse
	KJhsNv2RcI.exe	Get hash	malicious	XWorm	Browse
	PjGz899RZV.exe	Get hash	malicious	XWorm	Browse
	ehxF3rusxJ.exe	Get hash	malicious	XWorm	Browse
	Client-built-Playit.exe	Get hash	malicious	Quasar	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse
	72OWK7wBVH.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	L363rVr7oL.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	WO.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	reddit.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	147.176.119.110
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.18
	dr2YKJiGH9.exe	Get hash	malicious	XWorm	Browse	147.185.221.23

Process:	C:\Users\user\Desktop\test.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	257536
Entropy (8bit):	7.898203540516242
Encrypted:	false
SSDEEP:	6144:ZcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:ZcW7KEZlPzCy37
MD5:	57BD4F73690590693B5B921F29679410
SHA1:	C2CB47BF602541043589E979F21C3D7C1698E3AC
SHA-256:	8A3DE78CF177BE4C37C1525BECF05AF336C1DC2A4D181CAE79F6903754902EFA
SHA-512:	00B543644058A93F1C0A13E4D40B1C4E76F9581325F1773D79983761CA6903643E5A44717E7785B27A8FAC2A6609C19032E3F412D3339E9CC5DC697791890318
Malicious:	true
Yara Hits:	Rule: ProjectM_DarkComet_1, Description: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97% Antivirus: Virustotal, Detection: 94%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......O.........................p...W.......`....@..........................p...................@...........................j.......`.......................................................Y......................................................UPX0.....p..............................UPX1................................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\test.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.898203540516242
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	test.exe
File size:	257'536 bytes
MD5:	57bd4f73690590693b5b921f29679410
SHA1:	c2cb47bf602541043589e979f21c3d7c1698e3ac
SHA256:	8a3de78cf177be4c37c1525becf05af336c1dc2a4d181cae79f6903754902efa
SHA512:	00b543644058a93f1c0a13e4d40b1c4e76f9581325f1773d79983761ca6903643e5a44717e7785b27a8fac2a6609c19032e3f412d3339e9cc5dc697791890318
SSDEEP:	6144:ZcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:ZcW7KEZlPzCy37
TLSH:	3B4423A57BC6DC43EAFDAEBC060C0F14570523DF2EEE82919F2543483296A87275762D
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b57e0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4FD0CFF9 [Thu Jun 7 15:59:53 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a38ad86d74cafc45094a5085e33419e4

Entrypoint Preview

Instruction
pushad
mov esi, 00478000h
lea edi, dword ptr [esi-00077000h]
mov dword ptr [edi+000907B8h], 932E023Ah
push edi
or ebp, FFFFFFFFh
jmp 00007FA4AC81A9E0h
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA4AC81A9BFh
mov eax, 00000001h
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FA4AC81A9DDh
jne 00007FA4AC81A9FAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA4AC81A9F1h
dec eax
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FA4AC81A9A6h
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FA4AC81AA24h
xor ecx, ecx
sub eax, 03h
jc 00007FA4AC81A9E3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FA4AC81AA47h
sar eax, 1
mov ebp, eax
jmp 00007FA4AC81A9DDh
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA4AC81A99Eh
inc ecx
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA4AC81A990h
add ebx, ebx
jne 00007FA4AC81A9D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FA4AC81A9C1h
jne 00007FA4AC81A9DBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FA4AC81A9B6h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6a18	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0xa18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb5998	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x77000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x78000	0x3e000	0x3da00	a5931a585df7d292cd214ef56a59100d	False	0.9918507543103449	data	7.925168796285708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb6000	0x1000	0x1000	a9331e2596ae371f82b68047208f3bad	False	0.287841796875	data	2.914169796889494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xad6bc	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0xad7f0	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0xad924	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0xada58	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0xadb8c	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0xadcc0	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0xaddf4	0x134	data	English	United States	1.0357142857142858
RT_STRING	0xadf28	0x20c	data			1.0209923664122138
RT_STRING	0xae134	0x3fc	OpenPGP Public Key			1.0107843137254902
RT_STRING	0xae530	0xa8	data			1.0654761904761905
RT_STRING	0xae5d8	0x140	data			1.034375
RT_STRING	0xae718	0x478	data			1.0096153846153846
RT_STRING	0xaeb90	0x330	data			1.0134803921568627
RT_STRING	0xaeec0	0x36c	data			1.0125570776255708
RT_STRING	0xaf22c	0x3f0	data			1.0109126984126984
RT_STRING	0xaf61c	0xcc	data			1.053921568627451
RT_STRING	0xaf6e8	0xb0	OpenPGP Secret Key			1.0625
RT_STRING	0xaf798	0x2ac	data			1.0160818713450293
RT_STRING	0xafa44	0x3b8	data			1.0115546218487395
RT_STRING	0xafdfc	0x354	data			1.0129107981220657
RT_STRING	0xb0150	0x2f0	data			1.014627659574468
RT_RCDATA	0xb0440	0x33e	data			1.0132530120481928
RT_RCDATA	0xb0780	0x10	data			1.5
RT_RCDATA	0xb0790	0x7f4	data			1.0054027504911591
RT_GROUP_CURSOR	0xb0f84	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0xb0f98	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0xb0fac	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0xb0fc0	0x14	x86 executable (TV)	English	United States	1.4
RT_GROUP_CURSOR	0xb0fd4	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0xb0fe8	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0xb0ffc	0x14	data	English	United States	1.4
RT_VERSION	0xb66c0	0x358	data	French	France	0.06074766355140187

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll	IsValidSid
AVICAP32.DLL	capGetDriverDescriptionA
comctl32.dll	ImageList_Add
gdi32.dll	SaveDC
gdiplus.dll	GdipFree
msacm32.dll	acmStreamSize
netapi32.dll	Netbios
ntdll	NtUnmapViewOfSection
ntdll.dll	NtQuerySystemInformation
ole32.dll	IsEqualGUID
oleaut32.dll	VariantCopy
shell32.dll	ShellExecuteA
SHFolder.dll	SHGetFolderPathA
URLMON.DLL	URLDownloadToFileA
user32.dll	GetDC
version.dll	VerQueryValueA
wininet.dll	FtpPutFileA
winmm.dll	waveInOpen
WS2_32.DLL	WSAIoctl
wsock32.dll	send

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
French	France

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-25T12:41:18.326269+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49704	147.185.221.24	14161	TCP
2024-12-25T12:41:40.575762+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49711	147.185.221.24	14161	TCP
2024-12-25T12:42:02.794590+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49761	147.185.221.24	14161	TCP
2024-12-25T12:42:25.013317+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49814	147.185.221.24	14161	TCP
2024-12-25T12:42:47.326730+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49864	147.185.221.24	14161	TCP
2024-12-25T12:43:10.718325+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49915	147.185.221.24	14161	TCP
2024-12-25T12:43:10.718325+0100	2809530	ETPRO MALWARE Backdoor.Win32.DarkKomet Keep-Alive	1	192.168.2.5	49915	147.185.221.24	14161	TCP
2024-12-25T12:43:11.732126+0100	2807821	ETPRO MALWARE DarkComet-RAT activity	1	192.168.2.5	49964	147.185.221.24	14161	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 12:40:57.670963049 CET	49704	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:40:57.990794897 CET	14161	49704	147.185.221.24	192.168.2.5
Dec 25, 2024 12:40:57.991064072 CET	49704	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:18.326268911 CET	49704	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:18.445960045 CET	14161	49704	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:19.903337002 CET	14161	49704	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:19.904939890 CET	49704	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:19.949736118 CET	49704	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:20.087220907 CET	14161	49704	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:20.154897928 CET	49711	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:20.274462938 CET	14161	49711	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:20.274550915 CET	49711	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:40.575762033 CET	49711	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:40.695271015 CET	14161	49711	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:42.154242039 CET	14161	49711	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:42.154326916 CET	49711	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:42.154370070 CET	49711	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:42.273829937 CET	14161	49711	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:42.357266903 CET	49761	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:41:42.476826906 CET	14161	49761	147.185.221.24	192.168.2.5
Dec 25, 2024 12:41:42.476947069 CET	49761	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:02.794589996 CET	49761	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:02.914216042 CET	14161	49761	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:04.378124952 CET	14161	49761	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:04.378516912 CET	49761	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:04.378556967 CET	49761	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:04.498048067 CET	14161	49761	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:04.591844082 CET	49814	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:04.711663008 CET	14161	49814	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:04.711766005 CET	49814	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:25.013317108 CET	49814	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:25.132854939 CET	14161	49814	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:26.628588915 CET	14161	49814	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:26.628743887 CET	49814	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:26.628743887 CET	49814	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:26.748316050 CET	14161	49814	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:26.841609955 CET	49864	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:26.961236000 CET	14161	49864	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:26.961333990 CET	49864	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:47.326730013 CET	49864	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:47.446425915 CET	14161	49864	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:48.864032030 CET	14161	49864	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:48.864239931 CET	49864	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:48.864326000 CET	49864	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:48.983865976 CET	14161	49864	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:49.076055050 CET	49915	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:42:49.197236061 CET	14161	49915	147.185.221.24	192.168.2.5
Dec 25, 2024 12:42:49.198751926 CET	49915	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:10.718324900 CET	49915	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:10.839147091 CET	14161	49915	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:11.099551916 CET	14161	49915	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:11.099801064 CET	49915	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:11.099853039 CET	49915	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:11.219440937 CET	14161	49915	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:11.310405016 CET	49964	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:11.430341005 CET	14161	49964	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:11.430444002 CET	49964	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:11.732125998 CET	49964	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:11.732125998 CET	49964	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:11.851784945 CET	14161	49964	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:11.895205021 CET	14161	49964	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:11.935373068 CET	49966	14161	192.168.2.5	147.185.221.24
Dec 25, 2024 12:43:12.055082083 CET	14161	49966	147.185.221.24	192.168.2.5
Dec 25, 2024 12:43:12.055183887 CET	49966	14161	192.168.2.5	147.185.221.24

Target ID:	0
Start time:	06:40:55
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\test.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\test.exe"
Imagebase:	0x400000
File size:	257'536 bytes
MD5 hash:	57BD4F73690590693B5B921F29679410
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 00000000.00000002.2021478489.000000000235B000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: DarkComet_2, Description: DarkComet, Source: 00000000.00000002.2021478489.00000000023B1000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\test.exe" +s +h
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib "C:\Users\user\Desktop\test.exe" +s +h
Imagebase:	0xd60000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib "C:\Users\user\Desktop" +s +h
Imagebase:	0xd60000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
Imagebase:	0x400000
File size:	257'536 bytes
MD5 hash:	57BD4F73690590693B5B921F29679410
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 00000008.00000002.3265409763.0000000002381000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000008.00000002.3265409763.000000000237A000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: ProjectM_DarkComet_1, Description: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, Source: 00000008.00000002.3265409763.00000000022D3000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: ProjectM_DarkComet_1, Description: Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157, Source: C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs Detection: 94%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Imagebase:	0x900000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe"
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:40:56
Start date:	25/12/2024
Path:	C:\Windows\SysWOW64\notepad.exe
Wow64 process (32bit):	true
Commandline:	notepad
Imagebase:	0x970000
File size:	165'888 bytes
MD5 hash:	E92D3A824A0578A50D2DD81B5060145F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	06:41:09
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
Imagebase:	0x400000
File size:	257'536 bytes
MD5 hash:	57BD4F73690590693B5B921F29679410
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 0000000C.00000002.2137622893.00000000022FB000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000000C.00000002.2137622893.0000000002351000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:41:17
Start date:	25/12/2024
Path:	C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
Imagebase:	0x400000
File size:	257'536 bytes
MD5 hash:	57BD4F73690590693B5B921F29679410
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 0000000E.00000002.2218818182.000000000232B000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000000E.00000002.2218818182.0000000002381000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.4%
Total number of Nodes:	938
Total number of Limit Nodes:	56

Executed Functions

Function 00406C2C Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,00000000,00000005,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlen.KERNEL32(00000000), ref: 00406D86
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406DCD
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406DDD
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406E05
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406E15
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406E3B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98
., xrefs: 00406D98

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 94ea5a7645543b784b85917594646716072f6a36af782de090db3c5bc8994513
Instruction ID: 0791cc663e9e3f03257ec30459fd5a506504409c9953da17e558a2b9a1f5220e
Opcode Fuzzy Hash: 94ea5a7645543b784b85917594646716072f6a36af782de090db3c5bc8994513
Instruction Fuzzy Hash: D0516275A0031C7EFB21E6A4CC46FEF76AC9B04744F5100B7BA05F61C2D6789A548B68

Function 0048AEA8 Relevance: 9.1, APIs: 6, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,?,00000000,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?,0048AF9A,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6), ref: 0048AF8D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 586cd32b4f829490d7bdc1f83c6a9d589776fc218804ee8c8e98b50f9624b6ec
Instruction ID: f27b56eae406db6a86ffc6d2388615f6d5ab0a83f32bae61da12d7da3f97915c
Opcode Fuzzy Hash: 586cd32b4f829490d7bdc1f83c6a9d589776fc218804ee8c8e98b50f9624b6ec
Instruction Fuzzy Hash: 0D31CD71908204AEFB02EB65DC02AAF77FDEB49704F514877F604E2580D7BC5910C72A

Function 0048DDE0 Relevance: 7.6, APIs: 5, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,0000000A,00000000,0048DE71), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0000000A,00000000,0048DE71), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,00000000,0048DE71), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000000A,00000000,0048DE71), ref: 0048DE51

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 330c4b42ba5b275b599114ee44931eceb03e62696c017da7dd77a7b239deaad5
Instruction ID: 40824acdeb4c668ed84c2e309baa483db7f9e82a47f3d8707da4bd9c696a7e82
Opcode Fuzzy Hash: 330c4b42ba5b275b599114ee44931eceb03e62696c017da7dd77a7b239deaad5
Instruction Fuzzy Hash: 96019670B087047FE705B7668C92B6F76ACDB45714F50447AB804F72C2DA785E0185A9

Function 0048F6D4 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,0048F75A), ref: 0048F6EE

Part of subcall function 0045DAE0: GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
Part of subcall function 0045DAE0: GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
Part of subcall function 0045DAE0: GetCurrentThreadId.KERNEL32 ref: 0045DB4F
Part of subcall function 0045DAE0: GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
Part of subcall function 0045DAE0: RegisterClipboardFormatA.USER32(00000000), ref: 0045DB9B
Part of subcall function 0045DAE0: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
Part of subcall function 0045DAE0: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0045DC30

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID:
API String ID: 3775504709-0
Opcode ID: 1a6ca772e665be0d5e2147fce052cbccd5c6586128211161abdec0926dca869e
Instruction ID: 5dfe81b55c574a427b98dbe66f5d6a9d533f93086e21499d56a6489fb626f44d
Opcode Fuzzy Hash: 1a6ca772e665be0d5e2147fce052cbccd5c6586128211161abdec0926dca869e
Instruction Fuzzy Hash: 2DF01D382052469FEB15FB2AFCA685B37A5F747B04365453AE90083672CA3DAC81CF4D

Function 00445844 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e7547670c3529c1ec234d97f517d145bc95432ad10ab0304b8c8c35a46a1a0af
Instruction ID: 8d43881d36beb9ca30850cefc944607bdbfa04bbe24ebecfb5ada86ebc02f145
Opcode Fuzzy Hash: e7547670c3529c1ec234d97f517d145bc95432ad10ab0304b8c8c35a46a1a0af
Instruction Fuzzy Hash: 55F0C579205608AFCB40DF9DC688D4AFBE8BB4C264B058195F988CB321C634FD808F90

Function 004458CC Relevance: 19.9, APIs: 13, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e887bd4f1dfaa7686a9bcd8d1f279d96a173f6335af05e048c1ae5566ea5a7b6
Instruction ID: 5d41e5e6e978f13ffba52ebebe76b2d2211e2989e7cd194b6ee29f4bff662562
Opcode Fuzzy Hash: e887bd4f1dfaa7686a9bcd8d1f279d96a173f6335af05e048c1ae5566ea5a7b6
Instruction Fuzzy Hash: 0BE16235600A04EFEF10DB69C986A5EB7B1AF15314F2441ABE805DB353DB38EE45DB0A

Function 004450B4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,0000FF91,?,00001000), ref: 00407582

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000,?,000000FC,?), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 0044521E
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 00445235

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: LPI$PMD
API String ID: 2103932818-807424164
Opcode ID: a795f8368c72bf9755699305abd7a5f4cfd762d93ac83f927319b92138bcea53
Instruction ID: 45774ccd7fe4bbee92ba76f83e27da9187e70a830207dbb7965792a263479547
Opcode Fuzzy Hash: a795f8368c72bf9755699305abd7a5f4cfd762d93ac83f927319b92138bcea53
Instruction Fuzzy Hash: FA4165707446006FEB11EB79DD81F6633A8BB58708F54457BF940EB2D2DAB8AC448B6C

Function 0045DAE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32 ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterClipboardFormatA.USER32(00000000), ref: 0045DB9B

Part of subcall function 00419AB0: RtlInitializeCriticalSection.NTDLL(004174C8), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: 73A0A570.USER32(00000000,00000000), ref: 00443BF2

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?,00400000,?,00000100,00400000,MAINICON), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000,?,00400000,?,00000100,00400000,MAINICON), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
USER32, xrefs: 0045DC1A
AnimateWindow, xrefs: 0045DC2A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$A570ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1424775178-1126952177
Opcode ID: ffb51e500db148972dbc7beb344726cd61151559649c8c2c6e7fcfafe53c6a46
Instruction ID: 6f53dff375a4883d2d831e657bded5a36ce5427faee736874cb8f4f836a9cbe8
Opcode Fuzzy Hash: ffb51e500db148972dbc7beb344726cd61151559649c8c2c6e7fcfafe53c6a46
Instruction Fuzzy Hash: FB412C70A042459FCB01EFB9DC82A9E77F5EB55308B50443BE805E7392DB78A904CB9D

Function 00444D60 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?,00400000,?,00000100,00400000,MAINICON), ref: 00444EDB
CharLowerA.USER32(00000000,?,00400000,?,00000100,00400000,MAINICON), ref: 00444EE1

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4

Strings

0PI, xrefs: 00444E4F, 00444E81
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3
MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
8PI, xrefs: 00444F14

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 2763768735-4242882941
Opcode ID: 77cd31dde7a254b12dcbd14e884636f65d8ee8cfd0de4363eb70654305326d13
Instruction ID: 06aa92317af97af354310108114fc43928138ba0e5fc63c50b1d0a67c31c050c
Opcode Fuzzy Hash: 77cd31dde7a254b12dcbd14e884636f65d8ee8cfd0de4363eb70654305326d13
Instruction Fuzzy Hash: AC519370A042449FDB00DF79D885B867BE4AF55308F0484BAE848CF397D7BE9948CB69

Function 0040EBCC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

:mm, xrefs: 0040EE35
AMPM , xrefs: 0040EE25
m/d/yy, xrefs: 0040ECD1
AMPM, xrefs: 0040EE16
:mm:ss, xrefs: 0040EE52
mmmm d, yyyy, xrefs: 0040ECFE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 97c7d496bb53be2e2f1e8ccab3a885c64af014bd89a797615cdadca924b25190
Instruction ID: aaeb9d40802ec5ae2508282512743e540ede4d173f4b74b0285699a3e9fdf19b
Opcode Fuzzy Hash: 97c7d496bb53be2e2f1e8ccab3a885c64af014bd89a797615cdadca924b25190
Instruction Fuzzy Hash: A8614030A142499BDB04FBA6DC41A9F76A6DB88344F50983BF501BB2C6CA3CDD198B5D

Function 0045F5F8 Relevance: 10.6, APIs: 7, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,00000000,80000000,00000003,00000000,00000003), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,00000000), ref: 0045F6D6
CloseHandle.KERNEL32(00000000,0045F701,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,00000000,80000000,00000003,00000000,00000003,08000080), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF,0045F71F,00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F712

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$AttributesMappingSizeUnmap
String ID:
API String ID: 167332613-0
Opcode ID: b5eac0610075032de7a2513c2e8b1ccfa55d8627e30672ccf82c01737deb6b57
Instruction ID: d9c6f71f691b19bcb4ee1194854831e90a332a8fa662ee832f42c67c2bd9428c
Opcode Fuzzy Hash: b5eac0610075032de7a2513c2e8b1ccfa55d8627e30672ccf82c01737deb6b57
Instruction Fuzzy Hash: 15310A70B44304BFEB11DBA5CC12F9E77A8EB49715F60047AF900B76C2D6B96908CB59

Function 0048AFE8 Relevance: 10.6, APIs: 7, Instructions: 94
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: LookupNamePrivilegeProcessSleepToken$CurrentDisplayInformationOpen
String ID:
API String ID: 1061088034-0
Opcode ID: 21e2fa693b77e1687dd1e63adc00faec3f2a514a54548c721fb9981da1c068fc
Instruction ID: 7c8d2886aa7ef519a2b7c923d08911df63507ab73f508915f19d2e4a7a9e0dd2
Opcode Fuzzy Hash: 21e2fa693b77e1687dd1e63adc00faec3f2a514a54548c721fb9981da1c068fc
Instruction Fuzzy Hash: 04312171A4420AAFDB11FBA58C45BAF76BCEB04748F40443AB510F72C2D77D990587A9

Function 00444344 Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E
GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 73c0bd8e7eba965e0eed61374b502eb59efd9f208b8da5e283795ebf1aa8dac0
Instruction ID: b1c09ccfec85a5ba36baee35f792ea941e583b01de7403cfe65684905621fe73
Opcode Fuzzy Hash: 73c0bd8e7eba965e0eed61374b502eb59efd9f208b8da5e283795ebf1aa8dac0
Instruction Fuzzy Hash: BF31A6707442049BEB50EB79DC82B9A73E4BB84304F4480BBB948DB296DE7C9C45CB2D

Function 0048F888 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0048F8B5

Strings

GENCODE, xrefs: 0048F920, 0048F97C
.dcp, xrefs: 0048F92D, 0048F989
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
DCDATA, xrefs: 0048F8E9

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2538663250-3060965071
Opcode ID: c8d23b0a707152b339a570303755190e6830791e8e8d29d6a416c3cd974e37fe
Instruction ID: b08631961c5cd19e193c3a866378085dc4ec355b107417d0119518117b8188ee
Opcode Fuzzy Hash: c8d23b0a707152b339a570303755190e6830791e8e8d29d6a416c3cd974e37fe
Instruction Fuzzy Hash: 3B415E30A00205AFDF00FFA5D881A9E77B5EB98708F10893AF800BB295D779AD15CB59

Function 00485150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 779948276-1428018034
Opcode ID: a9a44120790dd27ed231a7a141495d9def3d41c41f358777dd71e94df13e925a
Instruction ID: 1700025a89521513581c772896e48f0ca3f8c3b0a114657fab2bfa2817695fa9
Opcode Fuzzy Hash: a9a44120790dd27ed231a7a141495d9def3d41c41f358777dd71e94df13e925a
Instruction Fuzzy Hash: 23118971A14604FFE701FB95CC92E5FBBBCDB08714F5144B6F504E2581D6386D008A68

Function 0042B47C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 0042B438: 73A0A570.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,058A00B4), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
Tahoma, xrefs: 0042B4C4
MS Shell Dlg 2, xrefs: 0042B50C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: A570MetricsObjectSelectText
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 2329979789-1011973972
Opcode ID: ff75d22deb57d8c69c22a3c40202624ec17a0e5eff89a5d65fc7e5ca5ae1e0f8
Instruction ID: 2baebb24881f48a3b3c6291d9e922c7faec78eca70ad76c405db218042662dfc
Opcode Fuzzy Hash: ff75d22deb57d8c69c22a3c40202624ec17a0e5eff89a5d65fc7e5ca5ae1e0f8
Instruction Fuzzy Hash: 05118E30700254AFC711EF65E84295DB7E5EB5A708FD144BAE400AB6A1D739AD41CB5C

Function 0046D36C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

open, xrefs: 0046D3B2
/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /k $cmd.exe$open
API String ID: 587946157-2943618638
Opcode ID: 9eae86065d0d93ebf250c3bbcf9c14ea5c5197c6d3b9a0c92b6e8e4b1917c459
Instruction ID: b348eb8f8a4a7142209e6b7ca6197fd20041c88382e3d2082d80296213269b31
Opcode Fuzzy Hash: 9eae86065d0d93ebf250c3bbcf9c14ea5c5197c6d3b9a0c92b6e8e4b1917c459
Instruction Fuzzy Hash: ABF04F70F50708ABD714EA66CC52B5EBBA8DB44710F604077A804A27D1EA785A40892A

Function 00421140 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: dec3ee531a7ce402010801fe59b78d5cfa3083ca5ed5f45e72ed571559e40154
Instruction ID: 110623671df19a8c119f7efad29f938b40404c1e1935042c7fba86dbaf329099
Opcode Fuzzy Hash: dec3ee531a7ce402010801fe59b78d5cfa3083ca5ed5f45e72ed571559e40154
Instruction Fuzzy Hash: 290161717441056BCB10EBA8AE81FAA3799E76C314F10423BFA54E73F1DA39A950875C

Function 0040A3AC Relevance: 6.0, APIs: 4, Instructions: 40timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Time$File$DateErrorLastLocal
String ID:
API String ID: 4098483309-0
Opcode ID: 849e055ad73741d85f8b77c6e24adce14b30157ec6a4943e75ef51e4ddc398e9
Instruction ID: 983d5f7c44628d8c784d5738126cf8fd5eabf3f31e4c252f5fb34eef9e9ed5dd
Opcode Fuzzy Hash: 849e055ad73741d85f8b77c6e24adce14b30157ec6a4943e75ef51e4ddc398e9
Instruction Fuzzy Hash: 74F01D62E1420C6AEB10DAE64D41BEFB3EC9B08244F100177BE04F2181F638AE4493AA

Function 00443B58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 00443B9D
73A0A570.USER32(00000000,00000000), ref: 00443BF2

Strings

\tA, xrefs: 00443BA7, 00443BB6, 00443BC5, 00443BD4, 00443BE3

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: A570KeyboardLayout
String ID: \tA
API String ID: 3858012219-3496985394
Opcode ID: b60e4b735bba11c956e67c73bfda407d4b4f4db3c39a7610973aeb9c4602713a
Instruction ID: 29537f1638e64609c9d649e3370045f7d653eb268bb0a8d821b114b3e0fef75c
Opcode Fuzzy Hash: b60e4b735bba11c956e67c73bfda407d4b4f4db3c39a7610973aeb9c4602713a
Instruction Fuzzy Hash: 7631FDB06042409FD740EF69E8C1B497BE0BB45359F44D57BF948DF3A2DB7AA8048B58

Function 00421808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseCreate
String ID: ddA
API String ID: 2932200918-2966775115
Opcode ID: 7f559e4a633603bdb811d58f77d66e659ed0bd7154da353762090d466b1b411f
Instruction ID: cfad480237e28ed3f51aa3fa484e42dbb6bdc5b5e79649963ce829f546b57270
Opcode Fuzzy Hash: 7f559e4a633603bdb811d58f77d66e659ed0bd7154da353762090d466b1b411f
Instruction Fuzzy Hash: 5E216231B00208AFD710EBA5DC92BAF77E8DB54344F90407AF500E72D1DA78AE049759

Function 00421A08 Relevance: 4.6, APIs: 3, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 741013630ea307d4dee4a794fb5e03e928169802d1f4b30187e73d0d7af1e6fa
Instruction ID: 62117f3e2099be30002a1187e1ac258d047a2b04edd82fdc1cf163ad4c72df03
Opcode Fuzzy Hash: 741013630ea307d4dee4a794fb5e03e928169802d1f4b30187e73d0d7af1e6fa
Instruction Fuzzy Hash: FD41A330F00618AFDB11EB65D841B9FB7FAEB54344FA0447AA804E32A1D778AF05DB48

Function 0040EB08 Relevance: 4.6, APIs: 3, Instructions: 56threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 0040EB2A
GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MetricsSystem$LocaleThread
String ID:
API String ID: 2159509485-0
Opcode ID: 1aa49e37dacbf832dff8b917a021a9d23a2060c9d10b56b725361bdc9b6fbadb
Instruction ID: 88fff8dd8369656633ad9e12758364492816d2b05fbde46ddfe4393e26846003
Opcode Fuzzy Hash: 1aa49e37dacbf832dff8b917a021a9d23a2060c9d10b56b725361bdc9b6fbadb
Instruction Fuzzy Hash: DB0148316007128AD320EA679441763BAE8DB41365F08C87FE8CAA72D1DB3CA851C75A

Function 0048C91C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104,00000000,0048C9CD,?,00000000,0048C9FA), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: %.4x:%.4x
API String ID: 2039140958-3532927987
Opcode ID: dc07c9e469255b99c7459551e62b454771a897901b312345c20d514864062379
Instruction ID: 64ba49aa807a29c7c7eb02e727126ae6cdba678ede47bc6f0b89cebbca66f9c3
Opcode Fuzzy Hash: dc07c9e469255b99c7459551e62b454771a897901b312345c20d514864062379
Instruction Fuzzy Hash: 772160B1A04208AEDB01EB95C891BEEBBF8EB49704F5044B6F544E2280E6795E00DB74

Function 004221F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: ldA
API String ID: 3660427363-3200660723
Opcode ID: 6573f74c1f9223d1a56143eaa92d6225a22fb892ff99ef68d3a97bed3f73a81d
Instruction ID: 6d5f433d44f6d15f34e9e764ddc2f2ce11a8bdb33e462f041f710034e25ba14c
Opcode Fuzzy Hash: 6573f74c1f9223d1a56143eaa92d6225a22fb892ff99ef68d3a97bed3f73a81d
Instruction Fuzzy Hash: BE017C76A00208AFD700DA99DC81E9FB7ACAB58324F4081BBF904D7291D6349E0487A9

Function 00422188 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 004221BA

Strings

tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Value
String ID: tdA
API String ID: 3702945584-2901657147
Opcode ID: 213107e27835ce7d087e0b0684be10673b617f4d20ad99c5d2e5d6d07da5e035
Instruction ID: c0fde491dc406c808480cd6262d93edf6f5e19d59013018c1d6ea7df797640af
Opcode Fuzzy Hash: 213107e27835ce7d087e0b0684be10673b617f4d20ad99c5d2e5d6d07da5e035
Instruction Fuzzy Hash: 72F08171A001087BD700EA9ADC81EAFBBEC9F58224F044166BA18D7291D6389D01C7A4

Function 004218E4 Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004219E9), ref: 0042195E
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,004219E9), ref: 00421992

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 531d20957de1e832fb120bf5cb0d5285924e0ead67cdf493a5ff5e192394c714
Instruction ID: 32a54d32d6eaeb6dc7cecc1fb34dd1f5fee2941a4ab35b4e6e971bf75e2f9f36
Opcode Fuzzy Hash: 531d20957de1e832fb120bf5cb0d5285924e0ead67cdf493a5ff5e192394c714
Instruction Fuzzy Hash: 8131A171B00658BFDB11EBA5D852B9FB7F9EB58304F90447AB400E32A1D778AE04CB58

Function 00443F14 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00443F21
LoadCursorA.USER32(00000000,00000000), ref: 00443F50

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 87701c6066a5e896434b7b70d042fb88e9644d8fd2c4faa6378f975c0d0750f7
Instruction ID: f734e92d0488aed2b2b3a7793f3cdc645a992b91f45aeb0379925902a8e886eb
Opcode Fuzzy Hash: 87701c6066a5e896434b7b70d042fb88e9644d8fd2c4faa6378f975c0d0750f7
Instruction Fuzzy Hash: 65F0AE21F0430527A610597D5CD193E7264DBE1F36B60037BF93AD72D1CB395D454259

Function 00421770 Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegFlushKey.ADVAPI32(00000000,?,004217DC,?,?,00000000,004219D3,?,00000000,00000000,00000000,?,?,00000000,004219E9), ref: 00421781
RegCloseKey.ADVAPI32(00000000,?,004217DC,?,?,00000000,004219D3,?,00000000,00000000,00000000,?,?,00000000,004219E9), ref: 0042178A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 172e384c99633260910a49d367581092f6a30a1e7669a58c219ddb1578f9b5c9
Instruction ID: fc924f33d897f6e4b67b20dec39f56b568dbcb6892d1a516178f316fd36fbaf7
Opcode Fuzzy Hash: 172e384c99633260910a49d367581092f6a30a1e7669a58c219ddb1578f9b5c9
Instruction Fuzzy Hash: 4ED01261B102009ACF50EE76D9C96077BD89F44344B44C4A7A808DF197D638D4048B28

Function 0048B724 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0048B776

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000,00000000,00489C5F,?,?,00000005,00000000,00000000,?,00485721,00000000,00485755,?,?,00000005), ref: 00489BEC

Part of subcall function 0048C91C: GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104,00000000,0048C9CD,?,00000000,0048C9FA), ref: 0048C974

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CurrentInformationPathProfileTempVolume
String ID:
API String ID: 2757621706-0
Opcode ID: 61eb7985d0b5bd84454a827fd82226c7999c8cca4c9cea09af0c50f0d06e985d
Instruction ID: cdac46f4a2fce0d9d757658583800b58a2f3db20cb4703613cf624bb0b21ab22
Opcode Fuzzy Hash: 61eb7985d0b5bd84454a827fd82226c7999c8cca4c9cea09af0c50f0d06e985d
Instruction Fuzzy Hash: 39415370A046089FDB14FB65C851B9EB7B9EF88304F5084FBE408A3691DB385B459F58

Function 00422274 Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004222FA), ref: 004222DF

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6d67a2beb7c1e076d38b4a70447f95d26d9b7e21cc5438e818ef7a82c653c995
Instruction ID: 46b1baecfced4c43d3002fbbd46695a66abe038bcc33cdd1a8f76b1c16d2a77b
Opcode Fuzzy Hash: 6d67a2beb7c1e076d38b4a70447f95d26d9b7e21cc5438e818ef7a82c653c995
Instruction Fuzzy Hash: A901B570700608BFD700EBA5DC52B9F73ECEB48304FA0007AF805E3691EA799E009A58

Function 00404544 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,004045CB), ref: 004045AA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 43944fdcd3f4fd2ba1253df16c312b873a3489a7e9ea22d13b794c4bab242403
Instruction ID: 8e50b20754b99778aea2fd508be551c6341b36c8a3d143169880bc4ef9dbbca9
Opcode Fuzzy Hash: 43944fdcd3f4fd2ba1253df16c312b873a3489a7e9ea22d13b794c4bab242403
Instruction Fuzzy Hash: A201A2B1604608AFCB10FB299D4398FB7ACDB44704FA144BBB508F36D2EA785F108968

Function 0040857A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d30b484ec921266ed0f81df9ba10d707b2799ba7563b7fd009626a4d8c406424
Instruction ID: 04bc7ba690b64a9cd008a2157679cce2d6694ce6da89d54e433565a2feb9e053
Opcode Fuzzy Hash: d30b484ec921266ed0f81df9ba10d707b2799ba7563b7fd009626a4d8c406424
Instruction Fuzzy Hash: B7F074B2700118BF9B80DE9DDD81D9B7BECEB4D264B054129FA08E7201D634ED118BB4

Function 0040857C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8c04635c6acf6c9936716696905ed52fd88a22118769ec0bb158fc0be345f43f
Instruction ID: e72d876b6b6ada9aac40d2b7e7319e3113bbcda415e24fd85b0ef7280cc01dba
Opcode Fuzzy Hash: 8c04635c6acf6c9936716696905ed52fd88a22118769ec0bb158fc0be345f43f
Instruction Fuzzy Hash: 19F074B2600118BF8B80DE9DDD81D9B7BECEB4D264B054129FA08E7201D634ED118BB4

Function 0042230C Relevance: 1.5, APIs: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00422274: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004222FA), ref: 004222DF

RegCloseKey.ADVAPI32(00000000,00000000,00422371), ref: 0042234F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 0b42893eec94ef0df653ea858331c836291e82fb3a636da02a1ad569b43690bd
Instruction ID: b3b501d6ce1d198399b5acc55379d4f22d8b1445f3d6bad9d7175ef71cc839ec
Opcode Fuzzy Hash: 0b42893eec94ef0df653ea858331c836291e82fb3a636da02a1ad569b43690bd
Instruction Fuzzy Hash: F1018C71E04304EFDB05CFA9D99195DB7F8EB49300BA140F6E800A3351D678EE00DA54

Function 00421F68 Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,00422140), ref: 00421F9A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e0d48b570f592cecfd3cf1baece5e13ed63849365e340ae46cf7aee04b00ff40
Instruction ID: f661016e06004236a119a1492c017bb107c3e28a2e266acda23c6d4558a64836
Opcode Fuzzy Hash: e0d48b570f592cecfd3cf1baece5e13ed63849365e340ae46cf7aee04b00ff40
Instruction Fuzzy Hash: 45F012663091046BD604E96A9C41FAB779CDB84355F04443EF548C7141DA24DD059769

Function 0040A16C Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00417A80,0041BCD6,00000000,0041BD54,?,?,00417A80), ref: 0040A1BA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 413e68b8dc054b864993eada5ac3718994ab04eddc793b5cb84f24028698c737
Instruction ID: 189b4e2f57034ccfc0894311bd19ddf6960378b78735a07a5fdbd8cf74b751bb
Opcode Fuzzy Hash: 413e68b8dc054b864993eada5ac3718994ab04eddc793b5cb84f24028698c737
Instruction Fuzzy Hash: B9E06DB2B9065526F230B59D9CC2B8B614EC7857A9F19013BF514EB2D1C07CDC0662A9

Function 00472974 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,004729D0), ref: 004729B0

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 586070523af7e67f8fb8a9420f93687de41047ef680ae4d7f873c01af75ab043
Instruction ID: ca29aa0cc0c10cea8c2cc5f8fbca96927c4974e0813dc21f7bc577f7369313da
Opcode Fuzzy Hash: 586070523af7e67f8fb8a9420f93687de41047ef680ae4d7f873c01af75ab043
Instruction Fuzzy Hash: 82F0BBB0604704BFCB04EBA5CC5288EBBB8EB48310F60447BB404E36D1D6385E009958

Function 00472924 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?,00000000,00472969), ref: 0047294E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4c6a1fff45d03a0536812af493d1a32943d7e1c38b53daa8433cc08e4865bad8
Instruction ID: 7b9874b43244ca409f97191b304c2d96234f3a274cde773ee34bcf6a84d82eb8
Opcode Fuzzy Hash: 4c6a1fff45d03a0536812af493d1a32943d7e1c38b53daa8433cc08e4865bad8
Instruction Fuzzy Hash: 9BE06DF0614704BFD705EB66CD5285EBBECEB497107E144B6F508E2691E6786E009868

Function 004069C8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 004069E6

Part of subcall function 00406C2C: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406C48
Part of subcall function 00406C2C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406C66
Part of subcall function 00406C2C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406C84
Part of subcall function 00406C2C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2
Part of subcall function 00406C2C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
Part of subcall function 00406C2C: RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406D31,?,80000001), ref: 00406D09
Part of subcall function 00406C2C: RegCloseKey.ADVAPI32(?,00406D38,00000000,00000000,00000005,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: cbb5936cde9907489e9df45f8c74cff5da1cf77b760d36e24b353934a863591f
Instruction ID: cc8616488df236c9c396893e69553b13bc7ba1f64ff3dd71edb0a08e9e1e42dc
Opcode Fuzzy Hash: cbb5936cde9907489e9df45f8c74cff5da1cf77b760d36e24b353934a863591f
Instruction Fuzzy Hash: 13E06D71A002108BDF10EE68C8C1A8737D8AB08754F014966ED54EF38AD3B5DE208BD4

Function 00473A40 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

74601370.SHFOLDER(00000000,00000026,00000000,00000000,?,?,00473AAB,00000000,00473AD0,?,?,00000000), ref: 00473A51

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: 74601370
String ID:
API String ID: 492834031-0
Opcode ID: b43270a4b48d584534e77d9d86a836dadcc4e98bef61c45e96a6421820e75870
Instruction ID: 20c61e685c0064e9ca10ddcb07d8265ffd1137f39ddf272bdb95c69999f92b8d
Opcode Fuzzy Hash: b43270a4b48d584534e77d9d86a836dadcc4e98bef61c45e96a6421820e75870
Instruction Fuzzy Hash: 41E0C26135470023F310142A0C83BA7204DCB807A5FA4403E3A58DA2E2ED8CDA04256A

Function 0040F234 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000,00473B94,00000000,00473C15,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040F24B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: c5e80ab05d07216b1c405b7f831b1c66e2845050ae7b292eeb89b8df078fb885
Instruction ID: 6b6d79c0b1cff8c4e6b8a822e08737e838be10aa554a27adf4acbba5d3dbee01
Opcode Fuzzy Hash: c5e80ab05d07216b1c405b7f831b1c66e2845050ae7b292eeb89b8df078fb885
Instruction Fuzzy Hash: BED02372B0091427D300E06C1C829FB31CD8B88728F400036759CD73C2F9655D0003D6

Function 0040A26C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ca430efd6d1af3f88608577e57a415d2a7a9318a6c8bf82aed908aade91cf978
Instruction ID: 46b79c9c4024027cd3ed892940770b7067cf466bdeca4dc6913eab36ba71945e
Opcode Fuzzy Hash: ca430efd6d1af3f88608577e57a415d2a7a9318a6c8bf82aed908aade91cf978
Instruction Fuzzy Hash: 64C08CA03127000ADA9061BD1CC921F03884A4533836C0FBBF828F27D3D23E9872242B

Function 0040A290 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000001,0040A334,00000000,0040A39D,?,?,00000000,00000000,00000000,00000000), ref: 0040A29B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9b9b1dad7bcb53aec0f9ff38cc09dd645f46a9eca66c5f7f37c49a5f9f992f98
Instruction ID: 60f1dd72526640fd44ef64e84f9aa93273782f2607bf232b5a25cf6c21d6d861
Opcode Fuzzy Hash: 9b9b1dad7bcb53aec0f9ff38cc09dd645f46a9eca66c5f7f37c49a5f9f992f98
Instruction Fuzzy Hash: 7DC08CE07117000BDE1061BE0CC111F22884AA53387741BBBF038F2BC3D23E9872242A

Function 0040A84C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000001,0040A378,00000000,0040A39D,?,?,00000000,00000000,00000000,00000000), ref: 0040A859

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 9a149f50b79a9565910e520281c21b8a27bb12522ecd158f1916ae7445b046ed
Instruction ID: 3b5a30eb45fec5fb1e70915e099d61b5d1901136ac7d909abf41746f3b96e812
Opcode Fuzzy Hash: 9a149f50b79a9565910e520281c21b8a27bb12522ecd158f1916ae7445b046ed
Instruction Fuzzy Hash: 51B092E2B943401AEA0035BA0CC2F2F008CD70462AF60193BF101E6183D57AC8044065

Function 00421084 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 308b0a8e157a38aba37f1cb0246eb6e8aea15631d0b9b0806a497c48e0e80e4f
Instruction ID: 545a2004b0a199b424e65af0b6ad9350791d782df71e5161e124e3c884d4c3a1
Opcode Fuzzy Hash: 308b0a8e157a38aba37f1cb0246eb6e8aea15631d0b9b0806a497c48e0e80e4f
Instruction Fuzzy Hash: 8211487424031A9BD710DF19D881B82FBE5EB58390F10C53BEA988B795D378E9018BA9

Function 0048C308 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0040A16C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00417A80,0041BCD6,00000000,0041BD54,?,?,00417A80), ref: 0040A1BA

Part of subcall function 0040A3AC: DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0040A3C9
Part of subcall function 0040A3AC: LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
Part of subcall function 0040A3AC: SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
Part of subcall function 0040A3AC: GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

CloseHandle.KERNEL32(?,0048C39D), ref: 0048C390

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileTime$CloseCreateDateErrorHandleLastLocal
String ID:
API String ID: 2313166750-0
Opcode ID: 9522c8212507b8d7d75b2f40495846eb5b106b5cc7e24c7e56510e5b1b40e3aa
Instruction ID: 01c718f21c504b2d3cba53ed9342c5db474bfa9d3e8c0c045f56d2a338be4d65
Opcode Fuzzy Hash: 9522c8212507b8d7d75b2f40495846eb5b106b5cc7e24c7e56510e5b1b40e3aa
Instruction Fuzzy Hash: 5A01D6B0A10704BFD711EF65CC9281EBBF8EB0A714F5188BAF810E3A90D7385D10DA58

Function 004016F8 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a708df6bad618cf595e0409471c4dde2eefb5957c61e6843bc63c9b7a36677d3
Instruction ID: 53975941242e7c688173782f03e5d60935352646a045c052a767a41d5ae573f7
Opcode Fuzzy Hash: a708df6bad618cf595e0409471c4dde2eefb5957c61e6843bc63c9b7a36677d3
Instruction Fuzzy Hash: 9BF04FF1B117008BDB069FF99D817057AD5E789344F2081BEEA09DB3A8E77585018B18

Non-executed Functions

Function 0048B42C Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF

Strings

CTRLZ, xrefs: 0048B5B4
CTRLA, xrefs: 0048B44C
CTRLF, xrefs: 0048B641
CTRLC, xrefs: 0048B4DC
CTRLX, xrefs: 0048B524
CTRLY, xrefs: 0048B5FC
CTRLV, xrefs: 0048B494
CTRLP, xrefs: 0048B56C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: f089d9734505696fd3cf7c75580600df9ea08211b03c854e42bcbcafaf83bed7
Instruction ID: 7bc6cfcbce1aa6a609a57895faa01688f24ad8a403329c94b47a068b8f17d9de
Opcode Fuzzy Hash: f089d9734505696fd3cf7c75580600df9ea08211b03c854e42bcbcafaf83bed7
Instruction Fuzzy Hash: 396197B07D0F087EF9B172958D6BF9E12558B04F15F20482A77483D1C3BAED2B4126AE

Function 00460AC0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 00460BFA

Strings

Process32Next, xrefs: 00460B62
Heap32ListFirst, xrefs: 00460AF6
Process32NextW, xrefs: 00460B86
Module32NextW, xrefs: 00460BF2
CreateToolhelp32Snapshot, xrefs: 00460AE4
Thread32Next, xrefs: 00460BAA
kernel32.dll, xrefs: 00460ACF
Process32FirstW, xrefs: 00460B74
Module32FirstW, xrefs: 00460BE0
Module32First, xrefs: 00460BBC
Heap32ListNext, xrefs: 00460B08
Module32Next, xrefs: 00460BCE
Process32First, xrefs: 00460B50
Heap32Next, xrefs: 00460B2C
Heap32First, xrefs: 00460B1A
Toolhelp32ReadProcessMemory, xrefs: 00460B3E
Thread32First, xrefs: 00460B98

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: cb1c389d623ae70f2f21763bd60f54e95ca16ce77cbbfbc0a35f95540e24b027
Instruction ID: 2dcb8aa922954ef3a3816dc7fa4d1e8ed79793e01e615060b68accaeef17e046
Opcode Fuzzy Hash: cb1c389d623ae70f2f21763bd60f54e95ca16ce77cbbfbc0a35f95540e24b027
Instruction Fuzzy Hash: DA31C8B0A442109FDF04EBB9D886B1737A8AB557487500E7BB000DF2D9E7B8AC408B5F

Function 004818F8 Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(?,00000000,?,?), ref: 00481948
CallNextHookEx.USER32(?,00000000,00000100,?), ref: 0048198C

Strings

[SNAPSHOT], xrefs: 00481BF5
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[F8], xrefs: 00481BBF
[F6], xrefs: 00481B9B
[LEFT], xrefs: 00481C07
[<-], xrefs: 00481B1D
[RIGHT], xrefs: 00481C19
[UP], xrefs: 00481C3D
[DOWN], xrefs: 00481C2B
[F2], xrefs: 00481B53
[NUM_LOCK], xrefs: 00481B2F
[F7], xrefs: 00481BAD
[F4], xrefs: 00481B77
[F3], xrefs: 00481B65
[DEL], xrefs: 00481BD1
[ESC], xrefs: 00481AE7
[INS], xrefs: 00481BE3

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CallHookNext
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 3378577984-52828794
Opcode ID: 8e213d5daa596fe2973b521e1542285b3be37ee3ec3a5330c975ec30fdea5668
Instruction ID: 78927d755c31f68748f33c75f3b8e7a4b1291bdf9e1aaa957a5492ef2a046fff
Opcode Fuzzy Hash: 8e213d5daa596fe2973b521e1542285b3be37ee3ec3a5330c975ec30fdea5668
Instruction Fuzzy Hash: 9F814035514608EFDB00FA95C941ADE77EDEB04344F608C77E900A26A5D73CAE479B2E

Function 0048E06C Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175windowmemorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32(00000000,0048E05D,?,?,?,?,00000000), ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00001004,00000000,00000000,?,00000000,SysListView32,00000000,?,00000000,#32770,00000000), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,?,?,00000000,0000012C,00003000,00000004,?,00001004,00000000,00000000,?,00000000,SysListView32), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,?,?,00000000,0000012C,00003000,00000004,?,00001004), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,?,?,00000000), ref: 0048E18A
SendMessageA.USER32(00000064,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000064,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(00000064,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,00000064,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,00000064,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,00000064,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00008000,00000000,00000000,00008000,00000064,00001008,00000000,00000000,00000000,00000000,00000000,00000400), ref: 0048E23A

Strings

d, xrefs: 0048E177
SysListView32, xrefs: 0048E0E2
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$ProcessVirtual$FindMessageSend$AllocFreeMemoryText$CloseForegroundHandleLengthOpenReadThreadWrite
String ID: #32770$SysListView32$d
API String ID: 2704228757-185556463
Opcode ID: cd693579a1cfdc96ec20bb5d67622a8a1745748781cc2e690d1306c65cbc88a8
Instruction ID: ea16c31bb30a777811bce740e25f0c1c06cc35dcd76950f9802152683edf4bda
Opcode Fuzzy Hash: cd693579a1cfdc96ec20bb5d67622a8a1745748781cc2e690d1306c65cbc88a8
Instruction Fuzzy Hash: 7E510371E44608ABDB10EBA5DC42FDFBBB8EF48714F10446AF604F72C1D678A9418B69

Function 00473F34 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209threadinjectionmemoryCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,0047419C), ref: 00473FF4
GetThreadContext.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,0047419C), ref: 00474027
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044), ref: 0047404F
NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 00474064
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,?,00000000,00000000,00000000), ref: 00474080
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,?,00000000,00000000,00000000), ref: 0047409B
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,?), ref: 00474110
WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 00474130
SetThreadContext.KERNEL32(?,00000000,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000), ref: 0047414C
ResumeThread.KERNEL32(?,?,00000000,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?), ref: 00474155
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000), ref: 0047416B
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,0047419C), ref: 0047417C

Strings

MZ, xrefs: 00473F8D
D, xrefs: 00473FC7

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Process$MemoryThreadVirtual$AllocContextWrite$CreateFreeReadResumeSectionTerminateUnmapView
String ID: D$MZ
API String ID: 3369150660-3290396648
Opcode ID: 34951654fb7148f7d51727159e74b85ba96b60081b22600c665b761a110ad23e
Instruction ID: 52d790d3033ef108d7995e8787b9561e9053cac5372873f187a16e15736c85ec
Opcode Fuzzy Hash: 34951654fb7148f7d51727159e74b85ba96b60081b22600c665b761a110ad23e
Instruction Fuzzy Hash: 0E71DD71A00209AFDB50EB99CD45FEFB7BCBF48304F54442AF614E7681D778A9408B69

Function 00406A68 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00406A85
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00406A9C
lstrcpyn.KERNEL32(?,?,?), ref: 00406ACC
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 00406B30
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406B79
FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406B8B
lstrlen.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406B97
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 00406BCB
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 00406BD7
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
kernel32.dll, xrefs: 00406A80
\, xrefs: 00406BA9

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 5aafdc4be12e5efdd9d42279546bac25bca391ed4356c3f45b4e9f3bfcbd8aef
Instruction ID: 3ae5c37d409f34fcf27cdf08506cb16005cd8bd3eecbd42afbf411402edc3aaa
Opcode Fuzzy Hash: 5aafdc4be12e5efdd9d42279546bac25bca391ed4356c3f45b4e9f3bfcbd8aef
Instruction Fuzzy Hash: DB417171E00168ABDB10DFA8CC89AEEB3BCEB45304F0544BAA545F7291D678DE508B58

Function 0048851C Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 302networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00488581
htons.WS2_32(00000000), ref: 004885A7
inet_addr.WS2_32(00000000), ref: 004885BB
gethostbyname.WS2_32(00000000), ref: 004885D3
connect.WS2_32(?,00000002,00000010), ref: 004885FD
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743
shutdown.WS2_32(?,00000002), ref: 00488907
closesocket.WS2_32(?), ref: 00488913

Strings

CONTROLIO, xrefs: 00488640
XMID, xrefs: 00488896
XLEFT, xrefs: 004887C6
XRIGHT, xrefs: 0048882E
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrmouse_eventshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1027240917-1300867655
Opcode ID: cd3a30b1e80f02b0565ff0fac0a5cae3a82dd1764119b69fd4ca89cad38ac8d4
Instruction ID: 4e03fa2607c6324ea98fb6bd6484ce50c7e0e3354b1b39edae72725015318aa2
Opcode Fuzzy Hash: cd3a30b1e80f02b0565ff0fac0a5cae3a82dd1764119b69fd4ca89cad38ac8d4
Instruction Fuzzy Hash: 7FC10474A00208DFDB10EB99C985B9EB7B9EF48304F5044ABE504EB396DB39AE45CF14

Function 00486E2C Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178networkthreadsleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00486E87
htons.WS2_32(?), ref: 00486EA8
bind.WS2_32(00000000,00000002,00000010), ref: 00486EBD
listen.WS2_32(00000000,00000005), ref: 00486ECD

Part of subcall function 004870D4: RtlEnterCriticalSection.NTDLL(0049C3A8), ref: 00487110

accept.WS2_32(00000000,?,00000010), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486FD0
RtlExitUserThread.NTDLL(00000000,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE
OK|Successfully started..|, xrefs: 00486EEF
ERR|Socket error..|, xrefs: 00486FA4

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Thread$AllocCloseCreateCriticalEnterExitHandleLocalSectionSleepUseracceptbindhtonslistensocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 1455999496-3262568804
Opcode ID: 9c853b67c0efaaf0e8379862e1d854b70b8415ed8a934f3e9757a40df7a5e797
Instruction ID: 330b6d5e8ca7d358a96bd715d31c0046abed32a4602e77c3a9e55e8bbd96ec0a
Opcode Fuzzy Hash: 9c853b67c0efaaf0e8379862e1d854b70b8415ed8a934f3e9757a40df7a5e797
Instruction Fuzzy Hash: 2A610F70E042189FDB40FBA5CC81AAEB7B9EF44704F20853BF514BB295DB38AD058B59

Function 00474208 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList), ref: 0047429A

Strings

WlanCloseHandle, xrefs: 00474241
WlanGetAvailableNetworkList, xrefs: 00474292
wlanapi.dll, xrefs: 00474211
WlanQueryInterface, xrefs: 00474277
WlanOpenHandle, xrefs: 00474226
WlanEnumInterfaces, xrefs: 0047425C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$wlanapi.dll
API String ID: 2238633743-982783174
Opcode ID: 131f67ed18dc1841b747a54eeab0c0e9484d912c37ab1340ea7a1dc050488e21
Instruction ID: 1b1b584ab70b599a09e57ee393cfeb683b0a66385e096c4620ec619856160cb6
Opcode Fuzzy Hash: 131f67ed18dc1841b747a54eeab0c0e9484d912c37ab1340ea7a1dc050488e21
Instruction Fuzzy Hash: 5B11D670B402109ED321AFA4D84B7A772A4ABA4788F544D7BB848572D5C37C54E0CB9D

Function 00469B90 Relevance: 18.5, Strings: 14, Instructions: 1038COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00469CDA
@, xrefs: 0046A6B6
invalid window size, xrefs: 00469D27
invalid block type, xrefs: 00469ED8
invalid distances set, xrefs: 0046A3E8
invalid stored block lengths, xrefs: 00469F40
unknown compression method, xrefs: 00469CFB
invalid literal/length code, xrefs: 0046A57C
invalid bit length repeat, xrefs: 0046A21D, 0046A314
invalid code lengths set, xrefs: 0046A11B
invalid literal/lengths set, xrefs: 0046A395
invalid distance too far back, xrefs: 0046A742
too many length or distance symbols, xrefs: 0046A050
invalid distance code, xrefs: 0046A6C0

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID: @$incorrect header check$invalid bit length repeat$invalid block type$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$invalid stored block lengths$invalid window size$too many length or distance symbols$unknown compression method
API String ID: 0-1207251497
Opcode ID: af32fa4fea2f8c98aa1611dc648d68027fc368677272e79b99ff8803321847fd
Instruction ID: 70a742bf0e6b26802f145232956222fdd1f506e219ea46470b50f8d4138f946c
Opcode Fuzzy Hash: af32fa4fea2f8c98aa1611dc648d68027fc368677272e79b99ff8803321847fd
Instruction Fuzzy Hash: 36922570608B418FC725CF29C58066AB7E2FB88304F148A2EE4D687755E778E995CF47

Function 0048485C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D

Strings

Mozilla, xrefs: 00484907
200, xrefs: 004849BD
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InternetOpen$HttpInfoQuery
String ID: 200$Mozilla$open
API String ID: 3396275114-1265730427
Opcode ID: 7d4210e464e6b5513354a01147238eeb12002b753217856a999451a1928529e8
Instruction ID: bd4a7f331ee14c47fdc3a16549272b02c59d40185987180eb944be2a6f51d9b7
Opcode Fuzzy Hash: 7d4210e464e6b5513354a01147238eeb12002b753217856a999451a1928529e8
Instruction Fuzzy Hash: B5618170A4020A9FDB20EFA5CC52B9EB7B5EB88704F5004A6F104BB281C7796E44CF5D

Function 00458910 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: a7e4015638541305c0cc4330e15c929173bc9f0cd132b6a38aa9e6750d00e7b5
Instruction ID: afcd0112b0a353e0b7b880c9ef2dfc7896f534c7da4812f16fdfb8643e04b228
Opcode Fuzzy Hash: a7e4015638541305c0cc4330e15c929173bc9f0cd132b6a38aa9e6750d00e7b5
Instruction Fuzzy Hash: 091163B15047019FC700DF6DC985A9B77D8AF49314F044A7EBD98EB287DB39D8048B66

Function 0043B7D8 Relevance: 12.1, APIs: 8, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000,?,?,?,000000EC,00000000,?,?,?,0043E506), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,?,000000EC,00000000,?,?,?,0043E506), ref: 0043B881
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,?,000000EC,00000000,?,?,?,0043E506), ref: 0043B88B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$LongShow$IconicVisible
String ID:
API String ID: 3484284227-0
Opcode ID: 5794a87fcb703386a158b02435ea0ce775cf32bf35bbb06824415d0d0e307dce
Instruction ID: b2bc2e831fba9c85f1db1661d09b10185500d8c57d07e90355f63ebc4dd6214f
Opcode Fuzzy Hash: 5794a87fcb703386a158b02435ea0ce775cf32bf35bbb06824415d0d0e307dce
Instruction Fuzzy Hash: AE11292154969029D625722B0D42FAF2A9CCFD7319F14257FF6D0AB2C3DB3C580282EE

Function 00471850 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

System\CurrentControlSet\Services\, xrefs: 004718F7
Description, xrefs: 00471916

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseService$CreateHandle$ManagerOpenValue
String ID: Description$System\CurrentControlSet\Services\
API String ID: 1622739332-3489731058
Opcode ID: e3290a4c3f4982e3a5bdd6d0dc0dc46e571c815a3ea731a19b905e8ffe0c482e
Instruction ID: d71fd5d28cf64b6debb896e556e2f5286ba0cc510098e96131e6a63da4f4140e
Opcode Fuzzy Hash: e3290a4c3f4982e3a5bdd6d0dc0dc46e571c815a3ea731a19b905e8ffe0c482e
Instruction Fuzzy Hash: 4321B4B0A00709ABD711EBA6CC52BAF77A8DB45750F60843BB604B72D1DA785D01CA68

Function 004714B8 Relevance: 10.6, APIs: 7, Instructions: 89serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ControlManagerQueryStartStatus
String ID:
API String ID: 1698138069-0
Opcode ID: d81ff42534bb92f495ecd7a7d21fa6ffb6ca4a6fc5c4bad083ad3a8c8d45062f
Instruction ID: 4844ad43a9a94d366381623c7387db9b1216949b4c3e73d84466f01584c6e375
Opcode Fuzzy Hash: d81ff42534bb92f495ecd7a7d21fa6ffb6ca4a6fc5c4bad083ad3a8c8d45062f
Instruction Fuzzy Hash: 0521B171E50308BAD714EAB98C42ABF77BCDB95754F50843BF409E3251E67889018A29

Function 0048A070 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 1314775590-3733053543
Opcode ID: 92b606e17cd6d1aa1c202ccba4538ae46431c09c6fdc184b2d621ed42b84d8fe
Instruction ID: 1f7382a4d51b7e70aafbd4014b945519f9f361ca119e71566e3caf28b1cc7c1a
Opcode Fuzzy Hash: 92b606e17cd6d1aa1c202ccba4538ae46431c09c6fdc184b2d621ed42b84d8fe
Instruction Fuzzy Hash: CC01B172A483016AE600EE64CD46F6F32DCDB46709F10893BF580E62C1D6BAD909872B

Function 004389B4 Relevance: 9.4, APIs: 6, Instructions: 405nativeCOMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16
NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00438EE8), ref: 00438ECA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: RestoreSave$NtdllProc_Window
String ID:
API String ID: 2725519021-0
Opcode ID: d857d62a1a632f2784ca0ed3ccba81296459d581ec29f6c0a57c488cff45230a
Instruction ID: e4e44a0c06a28b487b829f1d891154b504435a24dd35e4513ccf7ca6d42b3576
Opcode Fuzzy Hash: d857d62a1a632f2784ca0ed3ccba81296459d581ec29f6c0a57c488cff45230a
Instruction Fuzzy Hash: A4E13774A046099FCB10EFA9C48199EF7F5EB8D304F6195AAF800E7365CB38AD41CB58

Function 0043E644 Relevance: 9.4, APIs: 6, Instructions: 356windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 0043E76F
SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: RestoreSave$Focus
String ID:
API String ID: 1675357626-0
Opcode ID: 62db0cf1fd47e9f916f53f6fca2d0e1b7c6d02cae937029d1cfd94e2cdcaccac
Instruction ID: c9d8ad8847979b898198798682e1015be22ec676faa0239dcd38a036b1fcd990
Opcode Fuzzy Hash: 62db0cf1fd47e9f916f53f6fca2d0e1b7c6d02cae937029d1cfd94e2cdcaccac
Instruction Fuzzy Hash: AFD1A430A01104DFCB15EB6AC996B6EB3F1EF48300F6554A7E405AB7A1CB38ED01DB58

Function 00446070 Relevance: 9.1, APIs: 6, Instructions: 99nativewindowCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,?,00445ABE,00000000,00445F57), ref: 0044608F
ShowWindow.USER32(00000000,00000009,?,?,?,00445ABE,00000000,00445F57), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F120,00000000,00000000,?,?,?,00445ABE,00000000,00445F57), ref: 004460EC
SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000,00445F57), ref: 00446132
SetFocus.USER32(00000000,?,?,?,00445ABE,00000000,00445F57), ref: 00446180

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledFocusNtdllProc_Show
String ID:
API String ID: 3940358795-0
Opcode ID: b1b462c4c0b27444b5e3059da4d9d060714824b191a1171d52b5f949d25dd0ba
Instruction ID: 7771b678008882a5346f7f7e14208c7af855db790d32a4f67b6c3589a60653e7
Opcode Fuzzy Hash: b1b462c4c0b27444b5e3059da4d9d060714824b191a1171d52b5f949d25dd0ba
Instruction Fuzzy Hash: C73109706002409BFB24EF69CD86B5A2798AB06709F0904BFF9449F297DE7DEC44875D

Function 00457FD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00458013
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00458031
GetWindowPlacement.USER32(?,0000002C), ref: 00458067
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0045808B

Strings

,, xrefs: 00458055

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 57f7d01298d6fadd7b704e7c3bd13db1abb5b807ecc8f1dc30706c824b580abd
Instruction ID: 0756e720f040076a6b1a06bb3dc50e40de6b01f0a6705036d4428c5c05f1e2ba
Opcode Fuzzy Hash: 57f7d01298d6fadd7b704e7c3bd13db1abb5b807ecc8f1dc30706c824b580abd
Instruction Fuzzy Hash: 992110716002049BCB54EF69C8C199A77A8AF45355F01846AFE18EF247DF7AEC088BA4

Function 0042E370 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: MonitorFromWindow$pB
API String ID: 190572456-71766695
Opcode ID: 7b596b5103f23bd8cf39f6639b784127fff38481ba28460c9dfa71151c7fa379
Instruction ID: 109af5a3656dd04642540b776c7c4cf0ef378c335892b76b1731f46c74af4ae6
Opcode Fuzzy Hash: 7b596b5103f23bd8cf39f6639b784127fff38481ba28460c9dfa71151c7fa379
Instruction Fuzzy Hash: F6018F32A006686B9B00DA66AC829BF736CEB05315B84457FFC11A3241DB3D9D0187AE

Function 004715B0 Relevance: 7.5, APIs: 5, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID:
API String ID: 204194956-0
Opcode ID: d63e4e1d6d8213caaf582b6c13c4d7bc56db8f035963a3f880160170e7f30123
Instruction ID: 48f8861388c1cc15b3aa0d764589b73454904c9e8850451f47ed5d818063b4be
Opcode Fuzzy Hash: d63e4e1d6d8213caaf582b6c13c4d7bc56db8f035963a3f880160170e7f30123
Instruction Fuzzy Hash: 9301F9706407057BD321B7B68C03F6F769CCB45794F51417BB504B22D2EABC8E00956D

Function 004556F4 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00455B5A

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Capture
String ID: zC
API String ID: 1145282425-2346723311
Opcode ID: ffcfca1be7a8009be322743130056fd1861afbdade67f45d923b83940dd46d1b
Instruction ID: feb0281e3d630b705ab24a8226fb5d35ef7dee81b98c3a62c70701ba9cbaed2f
Opcode Fuzzy Hash: ffcfca1be7a8009be322743130056fd1861afbdade67f45d923b83940dd46d1b
Instruction Fuzzy Hash: C7E11F34A04604DFDB10DB99C599BBEB7F1AF04316F6441A6EC04AB363D778AE49DB08

Function 00466038 Relevance: 6.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E6

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: 0dcb3e3161119dcea285469acc199e04202481ca827ee9910d190a37f3fc748a
Instruction ID: 5a5fad9a356e2128dae37ec7c9699b4349d5fa7005371798cc668f9eb0e2849d
Opcode Fuzzy Hash: 0dcb3e3161119dcea285469acc199e04202481ca827ee9910d190a37f3fc748a
Instruction Fuzzy Hash: 7A21A5B1604214AFDB10EA69CC80F1777ACEF84718F1981AAF544DF286D779EC01C7A6

Function 00445F90 Relevance: 6.1, APIs: 4, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00445AB1,00000000,00445F57), ref: 00445FB5

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000,00445518,00000000,?,?,02378130,00448275), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684

IsWindowEnabled.USER32(00000000), ref: 00445FE1
SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,00445AB1,00000000,00445F57), ref: 0044602B
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,00445AB1,00000000), ref: 00446040

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Show$ActiveEnabledEnumNtdllOwnedPopupsProc_Windows
String ID:
API String ID: 2964316467-0
Opcode ID: 834d15232277396c33905eef5c3926d5e543e0d39f9f2d01c29d2e85dd2a97aa
Instruction ID: 9677a9fbcd8b89dad956ebf336f959bd137e36a98a3b68a660edcd45336556f9
Opcode Fuzzy Hash: 834d15232277396c33905eef5c3926d5e543e0d39f9f2d01c29d2e85dd2a97aa
Instruction Fuzzy Hash: 3821BF706002409BEB54EF6AC9C6B5A37A96F05309F4910BEFE04DF29BDA7EDC448719

Function 004314A0 Relevance: 6.1, APIs: 4, Instructions: 56memoryclipboardCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?), ref: 0043152D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Global$AllocClipboardDataLockUnlock
String ID:
API String ID: 3735636508-0
Opcode ID: 5769396b532ca0dd24eaa437a4c1bac6b314fdadb45e13adde9d398250666039
Instruction ID: 9dd664fdbcea1eb594e4b940028bbab039169917cdecfb14faced22c63785a30
Opcode Fuzzy Hash: 5769396b532ca0dd24eaa437a4c1bac6b314fdadb45e13adde9d398250666039
Instruction Fuzzy Hash: 6311A570A04604BFD711EF6ACD52C5EBBBEEB8D714B5044BAB804D36A0CA38AE50C658

Function 00481ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,Function_000818F8,00000000,00000000), ref: 00481F09

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: HandleHookModuleWindows
String ID: dclogs\
API String ID: 1637815062-2015714602
Opcode ID: ca164597c862bb80ac5c258a428db531b87507f30e06bc79cdd92d3859876e26
Instruction ID: f5bdc2482957d119b2c7a948f64f3f6e247a36b7c84638b5e0fb7533d995eca2
Opcode Fuzzy Hash: ca164597c862bb80ac5c258a428db531b87507f30e06bc79cdd92d3859876e26
Instruction Fuzzy Hash: 83311430A002099BDB01FBD5C842B9EB7B9DF45308F50887BF900B7295D77C6D158B6A

Function 00489E9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000001,004216E2,?,?,0042B4DA,00000008,00000060,00000048,00000000,0042B57F), ref: 004217B4

Part of subcall function 004218E4: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004219E9), ref: 0042195E

SystemParametersInfoA.USER32(00000014,00000000,00000000,00000002), ref: 00489F82

Strings

Control Panel\Desktop, xrefs: 00489EE7
Wallpaper, xrefs: 00489F2A, 00489F3C, 00489F58

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseInfoOpenParametersSystem
String ID: Control Panel\Desktop$Wallpaper
API String ID: 2577197673-3610005575
Opcode ID: 883dfc37d4f9f973076bcba842931cd525a35637c189c1c99ddf285a98deadd8
Instruction ID: 7509788a31261db8c7a6f70405d8e1c8e7558ed05086fc1595e00b19fae261c9
Opcode Fuzzy Hash: 883dfc37d4f9f973076bcba842931cd525a35637c189c1c99ddf285a98deadd8
Instruction Fuzzy Hash: F4217430700604AFDB04EFA5D952A6DB7A5EB85704F64887BF600E7791D739AD01DB18

Function 0048A218 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 0048A283

Strings

<, xrefs: 0048A24C
runas, xrefs: 0048A268

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: <$runas
API String ID: 587946157-1187129395
Opcode ID: 603765f9212b45fb0a496032abadb0e52370b72655c0de8c03cd1a609a0d9f86
Instruction ID: c460beef4a30210286d0763f74090151d95dda824b3e03195a79d9eb8af4952b
Opcode Fuzzy Hash: 603765f9212b45fb0a496032abadb0e52370b72655c0de8c03cd1a609a0d9f86
Instruction Fuzzy Hash: 4601ED70900608EFEB15EFA9D842A9EBBF8EB08314F51447BE404E2390E7799E15DB59

Function 00471640 Relevance: 4.6, APIs: 3, Instructions: 140serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?,00000000,00000000,00000005,00000000,00471828), ref: 004716DC
CloseServiceHandle.ADVAPI32(00000000,00000000,0000013F,00000003,?,00004800,?,?,?,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseEnumHandleManagerOpenServiceServicesStatus
String ID:
API String ID: 236840872-0
Opcode ID: f967aefc7bf76423e22f9d52bd21a8b5005219b2ea94b15966fbc90713c84a8e
Instruction ID: 6c6477a3aa7f16ff1d10dbc936ab973cf43f9545cae1b33ee76929128eccf4f8
Opcode Fuzzy Hash: f967aefc7bf76423e22f9d52bd21a8b5005219b2ea94b15966fbc90713c84a8e
Instruction Fuzzy Hash: 1251B771A002589BDB21EB59CC41BDFB7F9EF48704F10C8B7A508A7260DA799E418F9D

Function 00428418 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 00428425
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00428447
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 00428459

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: 4478b9a3c138687a0686639fd50ba47db60e4a65974e421b62bfd88401c9f0de
Instruction ID: 8af468d6ef4827c3facc6b8cc20fd518375f6c7cb41f1e6f0df9759fd5641c79
Opcode Fuzzy Hash: 4478b9a3c138687a0686639fd50ba47db60e4a65974e421b62bfd88401c9f0de
Instruction Fuzzy Hash: 631127727006048FC710DFAAC885A9BBBF8AF58314F50427EE948DB252DA74EC05CB95

Function 00444A7C Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00444A88
GetCursorPos.USER32(?), ref: 00444AA5
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00444AC5

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 051814c8f75384b05a6fe715f78794a8db92b8490947a9b10c5ba414622dab25
Instruction ID: 84b77d7c604ebb900be4f1c72e54bb18ce27068443de3344f6bc49165850a39d
Opcode Fuzzy Hash: 051814c8f75384b05a6fe715f78794a8db92b8490947a9b10c5ba414622dab25
Instruction Fuzzy Hash: 61F082315482099BFF24E7A9DC86B5A33D8AF44318F10057BE200AA2D2DB7DA880C65E

Function 004554F4 Relevance: 3.1, APIs: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 00455503
GetKeyboardState.USER32(?,?,?,?,00455B06), ref: 00455600

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: KeyboardMessageState
String ID:
API String ID: 3083355189-0
Opcode ID: 808654e812c04b8cf002c45e4c9406cc7ba5de4f5b303a7e3f51be5d593894dd
Instruction ID: fd6bb3eee380972d7b7e17b74c465dd610416f13f5cf6c755ee4c8c9f0fe4d16
Opcode Fuzzy Hash: 808654e812c04b8cf002c45e4c9406cc7ba5de4f5b303a7e3f51be5d593894dd
Instruction Fuzzy Hash: B031C571508B45ABC724CF38C1553ABB7D2AF89311F00492FE9C9C7246E778C909879B

Function 004576CC Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00457704
GetCapture.USER32 ref: 0045770D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 6063ac2dd12fac1c017f77210c41f4ed72a9a687f2f49046f9cc679a9348211b
Instruction ID: 0327d78a268b35ce8c677789ff907e2c6448dab7d1f279d91d5c842f90c86f2f
Opcode Fuzzy Hash: 6063ac2dd12fac1c017f77210c41f4ed72a9a687f2f49046f9cc679a9348211b
Instruction Fuzzy Hash: 08115E356042059FDB20DB59E985E6AB3E5AF08349B1490FAE804DB753DB38FD08D788

Function 00474D58 Relevance: 3.1, APIs: 2, Instructions: 57memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,?,?,?,00000000,00000000,00000000), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE), ref: 00474DBE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 0f06b3a9d05d14c227d8f49d300fba19357ac7f4f8b004a930f7be4c12f8c954
Instruction ID: 3d4a7009d76dd484f758c987681c7f943ef1eb3517999386d02c5c582c31b7ea
Opcode Fuzzy Hash: 0f06b3a9d05d14c227d8f49d300fba19357ac7f4f8b004a930f7be4c12f8c954
Instruction Fuzzy Hash: 220192317006087FF720DA668C42FBBB7ADDB85B44F514476F900E7284D678EE008668

Function 004318A0 Relevance: 3.0, APIs: 2, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 004318E9
SetClipboardData.USER32(00000009,00000000), ref: 004318FA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 0f2010860b73ae64819a8b1b72e47c22cf11ea669d4f218ec66432101ff0f195
Instruction ID: e739612fef9c341ec323a7699842473cd7885f0e480b2b8cfae146d1adeeb8b8
Opcode Fuzzy Hash: 0f2010860b73ae64819a8b1b72e47c22cf11ea669d4f218ec66432101ff0f195
Instruction Fuzzy Hash: 1B012D75A00209EFDB04DFA9C985AAEB7F8FF0D304F1105A6E904D72A1EB74AE44CB55

Function 00425A70 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ca2504a4ef36ec185e89c5cbe45427999975da89f83053bcc25645cf0a502aaf
Instruction ID: 6a340e060300fe569a79e53c9b5b4605939e3dd8f34e65c4cd0e79fc2e2f564c
Opcode Fuzzy Hash: ca2504a4ef36ec185e89c5cbe45427999975da89f83053bcc25645cf0a502aaf
Instruction Fuzzy Hash: AF01D4707146185BE721EB619C93BDA73A8E748704F9000BAB604E21C1EAFC6D808A19

Function 0043181C Relevance: 3.0, APIs: 2, Instructions: 45clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 00431865
SetClipboardData.USER32(00000009,00000000), ref: 00431876

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 8d686bb3edcbf1f0287f23636d0be7645290c9d5e61bd0a60621f4e583b22844
Instruction ID: c258abfd1bae3cce223fcfdb5e86e5ad3d018e03488e907c6d93f987f21c481c
Opcode Fuzzy Hash: 8d686bb3edcbf1f0287f23636d0be7645290c9d5e61bd0a60621f4e583b22844
Instruction Fuzzy Hash: 4E012D71A04209AFCB04DBA9C9419AEB7F8FB08314F1015A6A504E7291EB74AE40CB59

Function 0040A488 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00461DB1,00000000,00461F3B), ref: 0040A4A3
GetLastError.KERNEL32(00000000,?,?,?,?,00461DB1,00000000,00461F3B), ref: 0040A4C8

Part of subcall function 0040A404: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
Part of subcall function 0040A404: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Part of subcall function 0040A4FC: FindClose.KERNEL32(?,?,0040A4C6,00000000,?,?,?,?,00461DB1,00000000,00461F3B), ref: 0040A508

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: b271951cdbd7389c100cdf0ae7ed88a28fb5f573b9783d0a390267f2762ac902
Instruction ID: 2bdbaae247d1a3425dea7b77b5e76db409c649ff8386320d85249ab3d928ec5d
Opcode Fuzzy Hash: b271951cdbd7389c100cdf0ae7ed88a28fb5f573b9783d0a390267f2762ac902
Instruction Fuzzy Hash: B8E0EDAAB0172007C750BA6E188545F51888A843B4319037FF908FB3C3E57CCC2647EA

Function 00474DF0 Relevance: 3.0, APIs: 2, Instructions: 28memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00474E3D), ref: 00474E06
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,00474E3D), ref: 00474E12

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: c4326007e9121653f81660db04232ac1090b6013cbe3dc4bcb879eaff10942f8
Instruction ID: fbe7163d10dc84c5d00fca427994746e854fe78ce380d4a737e55ffcb7709b53
Opcode Fuzzy Hash: c4326007e9121653f81660db04232ac1090b6013cbe3dc4bcb879eaff10942f8
Instruction Fuzzy Hash: DDD05EA234A21437E134206B6C46FB71E4CCBC77F5E21003AB708E618294AA6C0180F8

Function 0046ADBC Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

@, xrefs: 0046B197

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2292dd3615177964b088e19524fed57bc495a9c266fe1c1bfff713db51e8fbad
Instruction ID: ddbe40538e9baf708d2be47c02668f95594b17b4f6917a86af6053f8ded7a178
Opcode Fuzzy Hash: 2292dd3615177964b088e19524fed57bc495a9c266fe1c1bfff713db51e8fbad
Instruction Fuzzy Hash: FDF15970E00619DBCF14CF98C5906EEBBB2FF89314F24815AD821A7350E7395A85CF9A

Function 00463F64 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00464010

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 7e3cccf241d719a6543ab1a14e6c351e39daf389e48f2197bdd78e8b7251981f
Instruction ID: 93754ef2e04dab4bf7e425cca76cac7516a65884f424cfd1e14bc392bef5dc41
Opcode Fuzzy Hash: 7e3cccf241d719a6543ab1a14e6c351e39daf389e48f2197bdd78e8b7251981f
Instruction Fuzzy Hash: 5B215975A04108EFDB04CF99CA85E9ABBF8EF49314F258096E904DB312E735EE44DB64

Function 00480FEC Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 58189b131d6bad9b31b58bb5dd0d6936964206077b18410e7332de7fd67d7e07
Instruction ID: 9eec0aa66b0e6b17a465713017becbaaf7ac7ec6db9e3a98db6aba3fc89bfd4d
Opcode Fuzzy Hash: 58189b131d6bad9b31b58bb5dd0d6936964206077b18410e7332de7fd67d7e07
Instruction Fuzzy Hash: 7C117C70E04648AFDB11DFA9CC11A9EB7F8FB89310F9189B7E418E2A90D7385A01DF44

Function 0040A746 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040A769

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: f6ec613ebcadacc7a2e0cd5499a95e83878b86a09f324e190c5682c8a23e5bb4
Instruction ID: 4025c5bd7047a0701642cd159606230db5b7f06ee4e1c4f744affcdd8b686913
Opcode Fuzzy Hash: f6ec613ebcadacc7a2e0cd5499a95e83878b86a09f324e190c5682c8a23e5bb4
Instruction Fuzzy Hash: 3B11D6B5E00209AFDB04DF99C881DAFF7F9EFC8304B14C569A505E7255E631AE018BA5

Function 0042C11C Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 0042BDBC: CLSIDFromProgID.COMBASE(00000000), ref: 0042BDE9

CoCreateInstance.COMBASE(?,00000000,00000005,0042C200,00000000), ref: 0042C16B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 1e67343cf6a3755dcc648c8cb1c137304937c0c58de1aa6cf99e86137d7c8245
Instruction ID: 0e77bf06c80596dcaa68c6d5969b34b49859e8a43eb0ea69bc2740a840eb9101
Opcode Fuzzy Hash: 1e67343cf6a3755dcc648c8cb1c137304937c0c58de1aa6cf99e86137d7c8245
Instruction Fuzzy Hash: 7301F770708704AEE715DF61EC539AF77ACE749710BE1047BF404E26C1E678591089A8

Function 00473560 Relevance: 1.5, APIs: 1, Instructions: 42filenetworkCOMMON

Download Yara Rule

APIs

FtpPutFileA.WININET(?,00000000,00000000,00000002,00000000), ref: 004735B2

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 80a18fa0b11a04b532a738fee1de739b4567f8fdc0dfc872b2df7eb5e2d0ef8a
Instruction ID: 6f3341fd20da57f58a3475690a976c02730a0e18f521c7973ac2effae8f0c2ec
Opcode Fuzzy Hash: 80a18fa0b11a04b532a738fee1de739b4567f8fdc0dfc872b2df7eb5e2d0ef8a
Instruction Fuzzy Hash: F10162B0600604BFDB05EFA9CC52B9E7BE8EB04314FA040B6B408E26D1D638AE009A58

Function 00430B10 Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00430B75

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: b38e94b57b4479addc08563d81d5e6e1362ea2dcec4b8b7a13faf6446262da47
Instruction ID: ee8813f00c41f682bc0c08bc4bb87949efde74055c84f2d7d70abe30ec2de666
Opcode Fuzzy Hash: b38e94b57b4479addc08563d81d5e6e1362ea2dcec4b8b7a13faf6446262da47
Instruction Fuzzy Hash: 0EF09076608204AFEB40DFDAD892D96F7ECEB4D764B6140B6F908D7641D235AD008B74

Function 0040D334 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e61051f54857a69d72c9be6c8c858c0c2dae7a9817b6c0e5e63ecb697defcde6
Instruction ID: b6b3bc27cba818dd86f07b3c1014e1150591c86ae65fc585a946909a32d306c9
Opcode Fuzzy Hash: e61051f54857a69d72c9be6c8c858c0c2dae7a9817b6c0e5e63ecb697defcde6
Instruction Fuzzy Hash: 08E09272B04A1817D710A5A95C869FB729CA758310F40427FBD08E73C2EDB89E4446AA

Function 0048BB34 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000014,00000000,00000000,00000002), ref: 0048BB61

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f1c68654e61d79d595f5e402f839bb6eeab1f148254c942a856f03da32687206
Instruction ID: 2ef191fbe8193a00e2e83069fb47910ddd53355cffce1850e0bcedea997f1bc3
Opcode Fuzzy Hash: f1c68654e61d79d595f5e402f839bb6eeab1f148254c942a856f03da32687206
Instruction Fuzzy Hash: D8E0A0B0200704BFE700EB66CC03F1E7BA8E708710FA0047AF500A25D2D6782E00A928

Function 0048CEEC Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000005,00000005), ref: 0048CF00

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7b5f676b7e6b9a88d9893fae38e51468712678d2565a0147376fd67b38a2ba85
Instruction ID: f0546baeb7acae3cb5e3c522522ce2647ebb903ee0b46d33e3f215fff8233b70
Opcode Fuzzy Hash: 7b5f676b7e6b9a88d9893fae38e51468712678d2565a0147376fd67b38a2ba85
Instruction Fuzzy Hash: 23E0C2113087012AF90065691CC262F2286D740366F60863BBB14EF2C1DA7D8906672F

Function 0040D380 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a79a0e4f37643c31da84fcc1cc3c35027888807660626107ab029df975161c11
Instruction ID: 975386fa7b5d916ad20be6fbaba23759347011934ff9901da2678f5332244a89
Opcode Fuzzy Hash: a79a0e4f37643c31da84fcc1cc3c35027888807660626107ab029df975161c11
Instruction Fuzzy Hash: 60D05B6671D15029E210519F1D45D7F5ADCDBC5761F10403FB948D6141D1688C069376

Function 0048CE74 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 13010ae4802796b4cebb758f70dee98ac04f0f90e3eed5081c51549290dec938
Instruction ID: 98e4b33eabaf53e06ac02edb4bf0a61fd95dc5c31155c6a725237dc9a82e4cf1
Opcode Fuzzy Hash: 13010ae4802796b4cebb758f70dee98ac04f0f90e3eed5081c51549290dec938
Instruction Fuzzy Hash: A7D05BB260430057C300B665ECC259B71CD4B94354F144C3F7989D62D2F77CD998976B

Function 0040BCC4 Relevance: 1.5, APIs: 1, Instructions: 15timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0040BCCC

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: d2c8365eac706f000001c641cc2a0dc3bb950baae54d49401a9c61011e267c3a
Instruction ID: 18359d170877d6c9a5d502834d040339afa8c639152749978d6f4e91199c9c0b
Opcode Fuzzy Hash: d2c8365eac706f000001c641cc2a0dc3bb950baae54d49401a9c61011e267c3a
Instruction Fuzzy Hash: F8D0179040862190C200FF9AC88147EB7E8AE84A01F404C9EF8D0901E2EB3CC5ACD3B7

Function 0043B75C Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0043B773

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: f1ef583641e5e91257dae9f568209ebbc2ab3bfede60cb79f03aca5766d5fbca
Instruction ID: a9af49f0c07d919ea4f91b38e3aa69d70141cd554bb4b85f797305e8e7badf51
Opcode Fuzzy Hash: f1ef583641e5e91257dae9f568209ebbc2ab3bfede60cb79f03aca5766d5fbca
Instruction Fuzzy Hash: D3C08C708101008BCF10A7398C80A493391B3A0302F9089FFE04081045CB79E8854A9C

Function 0045EC78 Relevance: .9, Instructions: 908COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e99c62f9cb34a1d69dba0a4e9228bdbe4a237ce076249af5adb7012cd77c24
Instruction ID: 8c5cc3955c1a1485aa0d62e32d88b494c96bfa0573a48a57b466807d67334b11
Opcode Fuzzy Hash: 41e99c62f9cb34a1d69dba0a4e9228bdbe4a237ce076249af5adb7012cd77c24
Instruction Fuzzy Hash: 8E42503755961D4FD348AEEE4C48081F2D7ABD4264B2F423A8A14E3312FDF9B856A5C8

Function 0046797C Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
Instruction ID: 91d046bc6df7f9e3a082991c3d1068be4f9010872feba14cae71677946551eb9
Opcode Fuzzy Hash: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
Instruction Fuzzy Hash: F461342238DA8103E73D8E7D5CE12B7EAD35FC631862ED57E94DAC3F42E85EA4165108

Function 00402370 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 004064C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction ID: e47f3aaeb8ed6147a650c2cc587590c84cccb032643323742196eb2bc5cbf075
Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction Fuzzy Hash: 5901B932B057210B874CDD7ECD9952BB6D3ABD8910F0AC73E9989D76C8DD318C1AC686

Function 0040838E Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db4a5db7d948965695fc5265557db2a6743ad504c03fffaf59ce3dfba969469
Instruction ID: 50d85d2cfeb51aaf7e84f544721989ee94c7533a7d714e26348b198219ee39fd
Opcode Fuzzy Hash: 8db4a5db7d948965695fc5265557db2a6743ad504c03fffaf59ce3dfba969469
Instruction Fuzzy Hash:

Function 0042F204 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0042F5B7), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0042F58E

Strings

DrawThemeBackground, xrefs: 0042F26E
DrawThemeText, xrefs: 0042F280
GetThemeIntList, xrefs: 0042F40C
SetWindowTheme, xrefs: 0042F430
GetCurrentThemeName, xrefs: 0042F550
GetThemeFont, xrefs: 0042F3D6
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeTextExtent, xrefs: 0042F2C8
HitTestThemeBackground, xrefs: 0042F2FE
DrawThemeEdge, xrefs: 0042F310
GetThemePartSize, xrefs: 0042F2B6
DrawThemeIcon, xrefs: 0042F322
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeBool, xrefs: 0042F38E
SetThemeAppProperties, xrefs: 0042F53E
GetThemeTextMetrics, xrefs: 0042F2DA
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeSysColorBrush, xrefs: 0042F466
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysBool, xrefs: 0042F478
IsThemePartDefined, xrefs: 0042F334
uxtheme.dll, xrefs: 0042F235
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeString, xrefs: 0042F37C
GetThemeAppProperties, xrefs: 0042F52C
GetWindowTheme, xrefs: 0042F4F6
GetThemeDocumentationProperty, xrefs: 0042F562
OpenThemeData, xrefs: 0042F24A
IsAppThemed, xrefs: 0042F4E4
DrawThemeParentBackground, xrefs: 0042F574
GetThemeSysInt, xrefs: 0042F4C0
GetThemeSysSize, xrefs: 0042F48A
GetThemeBackgroundRegion, xrefs: 0042F2EC
GetThemePosition, xrefs: 0042F3C4
EnableTheming, xrefs: 0042F586
GetThemeMetric, xrefs: 0042F36A
GetThemeSysString, xrefs: 0042F4AE
GetThemeColor, xrefs: 0042F358
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeSysColor, xrefs: 0042F454
GetThemeInt, xrefs: 0042F3A0
CloseThemeData, xrefs: 0042F25C
GetThemePropertyOrigin, xrefs: 0042F41E
IsThemeActive, xrefs: 0042F4D2
GetThemeFilename, xrefs: 0042F442
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: f9ff708dac386ae5d9e30e138ad9962b1451089ba6adc41bbb3e40df37f83233
Instruction ID: cebc7dfec6fd2eb3f6e9ec4c46b7472560df98df2d2e0d818cd08284bc94b5c0
Opcode Fuzzy Hash: f9ff708dac386ae5d9e30e138ad9962b1451089ba6adc41bbb3e40df37f83233
Instruction Fuzzy Hash: 32A170B0B44660AFDB00EF69E895F2637B8EB557843D0097BB400DF299D67CB8448B5E

Function 004754C4 Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233libraryloaderprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00475563
user32, xrefs: 004756F6
GetExitCodeProcess, xrefs: 0047565B, 00475781
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
Sleep, xrefs: 004755B9, 004756D9
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
CreateMutexA, xrefs: 00475604, 00475769
WaitForSingleObject, xrefs: 0047567E, 004757C9
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CloseHandle, xrefs: 00475613, 00475709
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
CreateProcessA, xrefs: 004755D7, 00475721
notepad, xrefs: 00475543
ExitThread, xrefs: 00475622, 00475799
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
GetLastError, xrefs: 004755E6, 00475739
LoadLibraryA, xrefs: 004756AA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$CreateProcess$AttributesFileMemoryObjectReadRemoteSingleThreadWait
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$kernel32.dll$notepad$user32$user32.dll
API String ID: 1639997394-2012025182
Opcode ID: 6f9ff9a4cc1378be953fd1ee1977a3659b763e422276e2f8980670f72d616d10
Instruction ID: e9d3a9bfe88baf75e55dadfdac4beb4fd7c7d96bac81333de36e5bf418f232b7
Opcode Fuzzy Hash: 6f9ff9a4cc1378be953fd1ee1977a3659b763e422276e2f8980670f72d616d10
Instruction Fuzzy Hash: E6811EB0E40B049BD710BB768C42B9E76A49F44708F61887F705DBF692DABCB9108B59

Function 00460DDC Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PSAPI.dll,?,00461159), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 00460F62

Strings

QueryWorkingSet, xrefs: 00460EB8
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
GetDeviceDriverBaseNameW, xrefs: 00460F5A
GetModuleBaseNameW, xrefs: 00460E70
GetModuleFileNameExW, xrefs: 00460E82
PSAPI.dll, xrefs: 00460DEB
EnumDeviceDrivers, xrefs: 00460F7E
GetProcessMemoryInfo, xrefs: 00460F90
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
EnumProcesses, xrefs: 00460E04
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetModuleInformation, xrefs: 00460E94
GetMappedFileNameW, xrefs: 00460F48
GetDeviceDriverFileNameW, xrefs: 00460F6C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 2238633743-2267155864
Opcode ID: ab661342394daa93bdfc84b549fb0db1521f2f56ef024eda48370ff564e5d94e
Instruction ID: a24e5f005b97b8d3632871dff6e343d4ef672c2fd5f25bd1742d1874c9fd01e1
Opcode Fuzzy Hash: ab661342394daa93bdfc84b549fb0db1521f2f56ef024eda48370ff564e5d94e
Instruction Fuzzy Hash: 3B41E0B0A44250AFDF00EFB99896F1637A8AB557883540D7BB400DF299E67DAC408B5F

Function 00474F80 Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193libraryloaderprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 00474E81

Strings

GetProcAddress, xrefs: 00475129
notepad, xrefs: 00475025
GetLastError, xrefs: 004750AA, 004751A1
D, xrefs: 00474FC9
MessageBoxA, xrefs: 0047507D, 00475159
Sleep, xrefs: 0047506E, 00475141
kernel32.dll, xrefs: 00475050
LoadLibraryA, xrefs: 00475112
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
DeleteFileA, xrefs: 0047509B, 00475189
CloseHandle, xrefs: 004750C8, 004751D1
ExitThread, xrefs: 0047508C, 00475171
user32.dll, xrefs: 0047505F
OpenProcess, xrefs: 004750D7, 004751E9
TerminateProcess, xrefs: 004750B9, 004751B9
GetExitCodeProcess, xrefs: 004750E6, 00475201

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$CreateProcess$AttributesFileMemoryObjectReadRemoteSingleThreadWait
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$kernel32.dll$notepad$user32.dll
API String ID: 1639997394-1586427593
Opcode ID: 47d984d89d447a740af8b3480d1bf6b14dff3af0580e8dc4d822aeea4be16fae
Instruction ID: 20f2dfa10427aafd6656507844e619c9700bbfc3e667e8045d5c03969cadce47
Opcode Fuzzy Hash: 47d984d89d447a740af8b3480d1bf6b14dff3af0580e8dc4d822aeea4be16fae
Instruction Fuzzy Hash: 0D615E70A40B049AD710BB758C42B9EB6A5AF44748F50887FB44DBB692DBBCB9008F5D

Function 0045D6E8 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

ImmSetConversionStatus, xrefs: 0045D7A4
ImmReleaseContext, xrefs: 0045D77A
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmIsIME, xrefs: 0045D80D
ImmSetOpenStatus, xrefs: 0045D7B9
imm32.dll, xrefs: 0045D749
ImmGetCompositionStringA, xrefs: 0045D7F8
WINNLSEnableIME, xrefs: 0045D72C
ImmNotifyIME, xrefs: 0045D822
ImmGetContext, xrefs: 0045D765
USER32, xrefs: 0045D720

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 57c5e944ddb563a745ba340de0f34f829c81228d5db11bbe286ca3a6e782315b
Instruction ID: 350e7b0c72bf7dc8e61b3cc467ad8a58c375954f1a989729b8f00de9bb81095f
Opcode Fuzzy Hash: 57c5e944ddb563a745ba340de0f34f829c81228d5db11bbe286ca3a6e782315b
Instruction Fuzzy Hash: 0B3163B0E44300BEE710FFB99D46A1637E8EB98749B50487FF410A7292D6BD6844CB5D

Function 004104F0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarDateFromStr, xrefs: 00410667
VarAdd, xrefs: 00410549
VarXor, xrefs: 004105F9
VarCmp, xrefs: 0041060F
VarCyFromStr, xrefs: 0041067D
VarAnd, xrefs: 004105CD
VarNot, xrefs: 00410533
VarIdiv, xrefs: 004105A1
VarDiv, xrefs: 0041058B
VarBstrFromCy, xrefs: 004106A9
VarMod, xrefs: 004105B7
VarBstrFromDate, xrefs: 004106BF
VarNeg, xrefs: 0041051D
VarSub, xrefs: 0041055F
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarR8FromStr, xrefs: 00410651
VarI4FromStr, xrefs: 00410625
VarBoolFromStr, xrefs: 00410693
VarR4FromStr, xrefs: 0041063B
VarBstrFromBool, xrefs: 004106D5

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 1ad1c5755158f3bb792f8e52e50cc48a0cf3b3d723dbf6682b27caf97537bf49
Instruction ID: 395bb6d0e7018af265d6a1d04e1d62bb5da875e14dc9152300494530f45af478
Opcode Fuzzy Hash: 1ad1c5755158f3bb792f8e52e50cc48a0cf3b3d723dbf6682b27caf97537bf49
Instruction Fuzzy Hash: DC4118B06062086B5304AB6E7A415EA7BD8D788714360C13FF5188B796DFBDBCC18B2D

Function 0047EE3C Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11

Strings

GENCODE, xrefs: 0047F0A0
HOSTS, xrefs: 0047EFA3
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
UPDATE, xrefs: 0047EF3E
.dcp, xrefs: 0047F0AD
BATCH, xrefs: 0047EEC3
EDITSVR, xrefs: 0047F063
UPANDEXEC, xrefs: 0047EF74
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
UPLOADEXEC, xrefs: 0047EE7E
SOUND, xrefs: 0047F040

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 587946157-486951257
Opcode ID: 2ed11dc5f73f97296b9f86895d695e4a36e1ab87a975bba46df742df2ed0e9fd
Instruction ID: 40a804d31181451f2c4759b72ce87a8f54f85bc05e0707d030e3e1ba04200fa5
Opcode Fuzzy Hash: 2ed11dc5f73f97296b9f86895d695e4a36e1ab87a975bba46df742df2ed0e9fd
Instruction Fuzzy Hash: 52712D74750604EBDB10FAA5C882FAF73A4EB04714FA08077F904BB6C6D67DAD058A6D

Function 00489580 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221pipewindowsleepCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?,00000000), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781
TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104), ref: 00489813
CloseHandle.KERNEL32(?,?,?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Pipe$CreateMessagePeekProcess$CloseHandleNamed$CharCodeDispatchEnvironmentExitFileReadSleepTerminateTranslateVariable
String ID: COMSPEC$D
API String ID: 3228586300-942777791
Opcode ID: 921b814b1b9b0d7ec9f6e9d770daa33d458549549ecd313183d227896a2ee1ba
Instruction ID: 95e1e43dfd61edd3a26936943111fa7a72a59d87f82baf661aca6111ca42b787
Opcode Fuzzy Hash: 921b814b1b9b0d7ec9f6e9d770daa33d458549549ecd313183d227896a2ee1ba
Instruction Fuzzy Hash: 70814571A14608AAEB10EBA9CC85BDE77BCAF44304F14047AF604F7281D779AE45CB69

Function 00483C10 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 182threadfileCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000,00000000,00483E62), ref: 00483CB1
OpenProcess.KERNEL32(00000010,00000000,?,00000000,00483E62), ref: 00483CBE
RtlExitUserThread.NTDLL(00000000,00000010,00000000,?,00000000,00483E62), ref: 00483CD8
CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000000,00000000,00000000,00483E1C,?,00000010,00000000,?,00000000,00483E62), ref: 00483D03
RtlExitUserThread.NTDLL(00000000,00000000,40000000,00000000,00000000,00000004,00000000,00000000,00000000,00483E1C,?,00000010,00000000,?,00000000,00483E62), ref: 00483D1D
VirtualProtectEx.KERNEL32(00000000,?,?,00000004,?), ref: 00483D5D
ReadProcessMemory.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000004,?), ref: 00483D70
VirtualProtectEx.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?,00000004,?), ref: 00483D83
SetEndOfFile.KERNEL32(000000FF,00483E23), ref: 00483DC4
CloseHandle.KERNEL32(000000FF,000000FF,00483E23), ref: 00483DCD
CloseHandle.KERNEL32(00000000,000000FF,000000FF,00483E23), ref: 00483DD6
WriteFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00483D9A

Part of subcall function 00475E2C: send.WSOCK32(00000000,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

RtlExitUserThread.NTDLL(00000000,00483F4C,?,) successfully dump in ,?,SYSINFORemote process (,00000000,000000FF,000000FF,00483E23), ref: 00483E16

Strings

) successfully dump in , xrefs: 00483DF2
SYSERRCannot create the output file!, xrefs: 00483D11
SYSERRNot a valid range set!, xrefs: 00483CA5
SYSINFORemote process (, xrefs: 00483DDB
SYSERRCannot open remote process for reading.., xrefs: 00483CCC

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser$File$CloseHandleProcessProtectVirtual$CreateMemoryOpenReadWritesend
String ID: ) successfully dump in $SYSERRCannot create the output file!$SYSERRCannot open remote process for reading..$SYSERRNot a valid range set!$SYSINFORemote process (
API String ID: 4161570757-2263546889
Opcode ID: 4bdb0c2d688b396db2f2506c44608d8f1756cc61627dee67bab92f8d873f7d95
Instruction ID: 1bf0248c18ca834f60428792f65fe9590105a4575173fe751b1e1da963c3cdc7
Opcode Fuzzy Hash: 4bdb0c2d688b396db2f2506c44608d8f1756cc61627dee67bab92f8d873f7d95
Instruction Fuzzy Hash: EB51E0B1E04118AFDB00EFA9DD81FDEB7B9EB08714F50456AF504F7281D678AE408B69

Function 00486918 Relevance: 28.8, APIs: 19, Instructions: 343networksleepCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
gethostbyname.WS2_32(00000000), ref: 00486BFF
htons.WS2_32(?), ref: 00486C29
socket.WS2_32(00000002,00000001,00000000), ref: 00486C44
connect.WS2_32(00000000,00000002,00000010), ref: 00486C55
getsockname.WS2_32(00000000,?,00000010), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00486D1D
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,?,00000005), ref: 00486D72

Part of subcall function 00408710: __WSAFDIsSet.WS2_32(00000000,?), ref: 00408718

send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,?,00000005), ref: 00486DC0
Sleep.KERNEL32(00000096,?,00000005,0000000A,00000000,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486DCA
closesocket.WS2_32(?), ref: 00486DE2
closesocket.WS2_32 ref: 00486DE8

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: send$closesocket$Sleepconnectgethostbynamegetsocknamehtonsselectsocket
String ID:
API String ID: 129894690-0
Opcode ID: dffc39fc354fbfc3c555f2e0031b39c7209a0c13b48ec1f4e14dedd229b09c68
Instruction ID: 5f6b45cba2bdcbc4bd5ebe49aad55af6eec3315c819bbbe8d5cacfbd29903a14
Opcode Fuzzy Hash: dffc39fc354fbfc3c555f2e0031b39c7209a0c13b48ec1f4e14dedd229b09c68
Instruction Fuzzy Hash: 9AD1A570A00218AADB20E725CC82BEE77BC9F45304F5005FBF549BA1C6DA7C9B848F59

Function 004031FC Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 00403236
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 00403240
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 0040325F
CharNextA.USER32(00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 00403269
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 00403295
CharNextA.USER32(00000000,00000000,00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 0040329F
CharNextA.USER32(00000000,00000000,00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 004032C7
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,0040331C,00000000,00403349,?,?,?,00000000), ref: 004032D1

Strings

, xrefs: 00403214
, xrefs: 00403278
", xrefs: 00403254
", xrefs: 00403230
", xrefs: 004032BC
", xrefs: 0040321E
, xrefs: 004032E9
", xrefs: 00403219
", xrefs: 0040328F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: 3bd9a193daecdd238f67bae6ba487182a8676f0db8e6ba609be4f5a64eecd842
Instruction ID: bdf7d2ac8bc3fc46c7ed94e96313c0ac358e30d7acbc24f56d7c24abc7c8abfb
Opcode Fuzzy Hash: 3bd9a193daecdd238f67bae6ba487182a8676f0db8e6ba609be4f5a64eecd842
Instruction Fuzzy Hash: D9317250A083D12AEB327AB54DC47662ECC4B96356F1805FF9541B62D7D5BC8A41C31A

Function 00472E88 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WS2_32(?), ref: 00472F40
inet_ntoa.WS2_32(?), ref: 00472F81
inet_ntoa.WS2_32(?), ref: 00472FC2
closesocket.WS2_32(000000FF), ref: 004730E3

Strings

Status : DOWN, xrefs: 0047301B
Broadcasts : YES, xrefs: 0047303D
Broadcast adress : , xrefs: 00472FCB
Loopback interface, xrefs: 00473077
Status : UP, xrefs: 00473001
Broadcasts : NO, xrefs: 00473057
IP Mask : , xrefs: 00472F8A
Network interface, xrefs: 00473091
IP : , xrefs: 00472F49

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: inet_ntoa$Ioctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 4072187599-1810517698
Opcode ID: c1cdba5071aa0e60e5044a1513dbdb5a4bb804c93194c752e20350a9e0c33837
Instruction ID: ab23de6604ef5ba243a1e2c870081f23a3f4f579f5567ed3b19c45597694430d
Opcode Fuzzy Hash: c1cdba5071aa0e60e5044a1513dbdb5a4bb804c93194c752e20350a9e0c33837
Instruction Fuzzy Hash: FA51F931750604AFD711AE55CC02FDB77AAEB44701FA0846BF848B72C4C6BE5E12AF59

Function 00480880 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 276networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 004808B5
htons.WS2_32(00000000), ref: 004808D9
inet_addr.WS2_32(00000000), ref: 004808ED
gethostbyname.WS2_32(00000000), ref: 00480905
connect.WS2_32(000000FF,00000002,00000010), ref: 0048092C
shutdown.WS2_32(000000FF,00000002), ref: 00480C26
closesocket.WS2_32(000000FF), ref: 00480C2F

Strings

FILEERR, xrefs: 00480BB6
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A
FILEEOF, xrefs: 00480B0B
FILEBOF, xrefs: 00480A34

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID: FILEBOF$FILEEND$FILEEOF$FILEERR$UPLOADFILE
API String ID: 1626636048-857550588
Opcode ID: f026bc058f5ac4961d630fe413edeafc05871d8492a04b3790b5f3b19503eb5b
Instruction ID: cdc034c040f455281bc25cad72133b6b44e65767978c96b0c7ce34103b78e964
Opcode Fuzzy Hash: f026bc058f5ac4961d630fe413edeafc05871d8492a04b3790b5f3b19503eb5b
Instruction Fuzzy Hash: D6A17270A102189BDB14FB65C885BDE73B9EB44308F5045BBF504AB2C6DB78AE85CF58

Function 0047FA8C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 241networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0047FACB
htons.WS2_32(00000000), ref: 0047FAEF
inet_addr.WS2_32(00000000), ref: 0047FB03
gethostbyname.WS2_32(00000000), ref: 0047FB1B
connect.WS2_32(000000FF,00000002,00000010), ref: 0047FB42
73A0A570.USER32(00000000,00000000,0047FD2B,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,00000000), ref: 0047FBE3
SelectObject.GDI32(?,?), ref: 0047FC23
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect$A570connectgethostbynamehtonsinet_addrsendsocket
String ID: THUMB
API String ID: 2044821664-3798143851
Opcode ID: 74ed5629067ad22bcd7fadb54db7d4cdd69b89a75588b3c51667ced20d1b0c24
Instruction ID: 8cf77986ac8e812088483114d2154e400579996fdeeff4b414df514635362606
Opcode Fuzzy Hash: 74ed5629067ad22bcd7fadb54db7d4cdd69b89a75588b3c51667ced20d1b0c24
Instruction Fuzzy Hash: 59911174A40304AFDB10EBA5CD86FAEB3B9EF48704F10447AF604E7291D678AD45CB69

Function 00465A0C Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 232COMMON

Download Yara Rule

Strings

BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28
BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
PE, xrefs: 00465A84
MZ, xrefs: 00465A41

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 0-3631919656
Opcode ID: 55e51ac784f6f41ad5d714717ace54d489d53ab6b595cfd356cbe4ff5d71c969
Instruction ID: b20ef3fee28795f126b59ee3d7137661f71c46c8834bf65cff6539cc8d466484
Opcode Fuzzy Hash: 55e51ac784f6f41ad5d714717ace54d489d53ab6b595cfd356cbe4ff5d71c969
Instruction Fuzzy Hash: 49719571B04A04AFEB14DB6DCC41B6EB7E5EB88714F10C4BAF504E7381EA389D418B5A

Function 00425CC8 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00425D20
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,00425D90,?,?), ref: 00425D64
SelectObject.GDI32(?,?), ref: 00425D7E
DeleteObject.GDI32(?), ref: 00425D8A
SelectObject.GDI32(?,?), ref: 00425DD4
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
SetTextColor.GDI32(?,00000000), ref: 00425E7D
SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
SetTextColor.GDI32(?,?), ref: 00425EE6
SetBkColor.GDI32(?,?), ref: 00425EF0
SelectObject.GDI32(?,00000000), ref: 00425F03
DeleteObject.GDI32(?), ref: 00425F0C
DeleteDC.GDI32(?), ref: 00425F37

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$ColorSelectStretch$Delete$Text$Mask
String ID:
API String ID: 326492243-0
Opcode ID: d8e1724576f574ae09a1413f8e0e13ab6aadab4a8bbe90aca38c9fdbb62b321e
Instruction ID: e983f0c62ec482ac6a7694e4d78d7742d1d0dd20c2797562eb9a97e0ed3ed78c
Opcode Fuzzy Hash: d8e1724576f574ae09a1413f8e0e13ab6aadab4a8bbe90aca38c9fdbb62b321e
Instruction Fuzzy Hash: 0A81B4B1A04219AFDB50DFA9CD85FAF77ECAB0D314F514459F618F7281C638AD008B69

Function 004801FC Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 286networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00480264
htons.WS2_32(00000000), ref: 00480288
inet_addr.WS2_32(00000000), ref: 0048029C
gethostbyname.WS2_32(00000000), ref: 004802B4
connect.WS2_32(000000FF,00000002,00000010), ref: 004802DB
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,0048064C,?,FILEBOF), ref: 004804DB
shutdown.WS2_32(000000FF,00000002), ref: 004805D5
closesocket.WS2_32(000000FF), ref: 004805DE

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

Strings

FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILEEOF, xrefs: 00480564
FILEERR, xrefs: 00480432
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: send$AttributesFileclosesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID: FILEBOF$FILEEND$FILEEOF$FILEERR$FILETRANSFER
API String ID: 1000740278-2201142619
Opcode ID: de141080d0af0e70ed050346cbac32d333074886a60d1ece429222566f44452a
Instruction ID: d884f81a31d127129e457d29bc3a887c149848b3ea7592e29df607f4b17ad49f
Opcode Fuzzy Hash: de141080d0af0e70ed050346cbac32d333074886a60d1ece429222566f44452a
Instruction Fuzzy Hash: 39B14E70A10219AFDB60EB95CC85BDEB7B8EF48304F5044AAA604F7291DB789E45CF58

Function 004865E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218networkwindowsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WS2_32(00000002,00000001,00000000), ref: 004866CE
htons.WS2_32(00000000), ref: 004866F8
inet_addr.WS2_32(00000000), ref: 00486709
gethostbyname.WS2_32(00000000), ref: 0048671F
connect.WS2_32(00000000,00000002,00000010), ref: 00486744
shutdown.WS2_32(00000000,00000001), ref: 00486881
closesocket.WS2_32(00000000), ref: 0048688E

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekSleepTranslateclosesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID: `cH$AI
API String ID: 2253344678-3416697501
Opcode ID: bedb0ffaec52e44a88e2de0e8a99cec9f55a2e9ce9d1910240818cd027755a58
Instruction ID: 41e6e4eb2a8756f4af6665dd27e47b218bc7cc1c13d6ade83d67c70cfc95b343
Opcode Fuzzy Hash: bedb0ffaec52e44a88e2de0e8a99cec9f55a2e9ce9d1910240818cd027755a58
Instruction Fuzzy Hash: A7816E74A006049FDB10FB69DD85B8EB3B9AF44308F1144BBE504E73A2D778AE46CB59

Function 0048317C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 191networkthreadCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00483247
RtlExitUserThread.NTDLL(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
htons.WS2_32(00000000), ref: 0048326E
inet_addr.WS2_32(00000000), ref: 00483282
gethostbyname.WS2_32(00000000), ref: 0048329A
RtlExitUserThread.NTDLL(00000000,00000000,00000000,00000000), ref: 004832A7
connect.WS2_32(000000FF,00000002,00000010), ref: 004832C6
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
shutdown.WS2_32(000000FF,00000002), ref: 00483382
closesocket.WS2_32(000000FF), ref: 0048338B
RtlExitUserThread.NTDLL(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,00000000,00000000), ref: 0048339A

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser$closesocketconnectgethostbynamehtonsinet_addrsendshutdownsocket
String ID: DATAFLUX$AI
API String ID: 2465866365-1069322248
Opcode ID: 108bb0699211b11e589103643461899d014b8e42d96da5f9b0910472b6323014
Instruction ID: a550a1352afb7896cb68f3560b5cabc46008ece412a12536725869762f02c33b
Opcode Fuzzy Hash: 108bb0699211b11e589103643461899d014b8e42d96da5f9b0910472b6323014
Instruction Fuzzy Hash: 9E611274A002189FDB10EFA5CC82B8E77B9EB48704F50447AF604F7296DA78EE458B59

Function 0048298C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119threadnetworkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 004829FE
RtlExitUserThread.NTDLL(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
htons.WS2_32(?), ref: 00482A18
inet_addr.WS2_32(00000000), ref: 00482A2A
gethostbyname.WS2_32(00000000), ref: 00482A40
RtlExitUserThread.NTDLL(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WS2_32(00000000,00000002,00000010), ref: 00482A63
closesocket.WS2_32(00000000), ref: 00482A9C
RtlExitUserThread.NTDLL(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WS2_32(00000000), ref: 00482AAB
RtlExitUserThread.NTDLL(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Strings

PortScanAdd, xrefs: 00482A6C
T)H, xrefs: 004829A6, 00482AEF

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser$closesocket$connectgethostbynamehtonsinet_addrsocket
String ID: PortScanAdd$T)H
API String ID: 3331331703-1310557750
Opcode ID: 4f0aaf588a8e68274f49ca44d2d491ec8a76cf678dfed71faac18fa6c5d4ccc3
Instruction ID: dfbeccaf93b07c71eaea7559705428fa792c13e1ab77e083179d187ea886d1de
Opcode Fuzzy Hash: 4f0aaf588a8e68274f49ca44d2d491ec8a76cf678dfed71faac18fa6c5d4ccc3
Instruction Fuzzy Hash: 95416030A00609AEDB00FBA5CD42B9F77E8EF48304F60447BF504B7292DAB89D019B59

Function 0045944C Relevance: 22.8, APIs: 15, Instructions: 258COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE
FillRect.USER32(?,?,00000000), ref: 004596DA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLong
String ID:
API String ID: 1904870186-0
Opcode ID: ba0e585f5a220742b43e222ef255719f620f5db918f749e3f708f6a4cc6e7059
Instruction ID: f381e9d907e84e040b15bb07fcc8fa9a46ca188c9f9e639884964784588c8640
Opcode Fuzzy Hash: ba0e585f5a220742b43e222ef255719f620f5db918f749e3f708f6a4cc6e7059
Instruction Fuzzy Hash: 34A10F71E00108EFCB01DBA9C986EDE77F9AF49305F1440AAF914F7252DB79AE058B64

Function 00487B54 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00487B90
socket.WS2_32(00000002,00000001,00000000), ref: 00487B9B
htons.WS2_32(00000000), ref: 00487BBD
inet_addr.WS2_32(00000000), ref: 00487BD1
gethostbyname.WS2_32(00000000), ref: 00487BE9
connect.WS2_32(00000000,00000002,00000010), ref: 00487C0D
send.WSOCK32(00000000,?,00000000,00000000), ref: 00487D26
shutdown.WS2_32(00000000,00000002), ref: 00487D94
closesocket.WS2_32(00000000), ref: 00487D9A

Part of subcall function 00475E2C: send.WSOCK32(00000000,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

ENDSNAP, xrefs: 00487D54
#CAMEND, xrefs: 00487CC4
CAMERA, xrefs: 00487C47

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: send$Initializeclosesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID: #CAMEND$CAMERA$ENDSNAP
API String ID: 188043792-4109213444
Opcode ID: 2e8e43355300db45eee3b1acb2fde681b8b21a56a9e16257beb1a2d33dc8670f
Instruction ID: 0fef1f828821176ef50aa4f11f0847c4136632d7fec43a4d81c01dd0a7c27fcc
Opcode Fuzzy Hash: 2e8e43355300db45eee3b1acb2fde681b8b21a56a9e16257beb1a2d33dc8670f
Instruction Fuzzy Hash: 9C616E70A04618AFDB20EB55CC85FAE73F9AF44304F2044BBF914AB292D7789E44CB59

Function 0047EAEC Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149windowthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D

Part of subcall function 0041FA34: GetLastError.KERNEL32(00000000,0041FADE), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,00000000,?,00000000,00461FFA), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,?,00000000,00462033), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Strings

AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
Unknow, xrefs: 0047EC0B
PWD, xrefs: 0047EB26
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MessageThread$CreateDispatchErrorLastPriorityResumeTranslate
String ID: at $,xI$MPI$OFFLINEK$PWD$Unknow$AI$AI
API String ID: 3002801514-2464480815
Opcode ID: bc69af0adfb34cd0679ee449daf121cc4336e7819dd874c63be97dde00923ef5
Instruction ID: e2167eeccbf4afbe61ec2f3fb3de221b5c7edd7213e8530d036ea6c8de836f7f
Opcode Fuzzy Hash: bc69af0adfb34cd0679ee449daf121cc4336e7819dd874c63be97dde00923ef5
Instruction Fuzzy Hash: 37514E386002059FDB11EB65DC81F9A77B5EF9D308F108576F904AB3A1C739A942CB6D

Function 004836D8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99threadnetworksleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0048373A
RtlExitUserThread.NTDLL(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WS2_32(?), ref: 00483762
htons.WS2_32(00000050), ref: 0048376B
gethostbyname.WS2_32(?), ref: 0048377B
RtlExitUserThread.NTDLL(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WS2_32(00000000,00000002,00000010), ref: 0048379E
RtlExitUserThread.NTDLL(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WS2_32(00000000), ref: 004837E5
RtlExitUserThread.NTDLL(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser$Sleepclosesocketconnectgethostbynamehtonsinet_addrsocket
String ID: POST /index.php/1.0Host:
API String ID: 681257413-3360397365
Opcode ID: ba673a4f71954a393736f9a25fadc427223304dae623b4873d499f9a8ce2d311
Instruction ID: 945f41c8bfcd063cc9095e44db21a60f0fa1d8b30e727fd2b73fa24ca6d896be
Opcode Fuzzy Hash: ba673a4f71954a393736f9a25fadc427223304dae623b4873d499f9a8ce2d311
Instruction Fuzzy Hash: D83154B0A40709AAE710FB65CC82B9F76E8DF04B04F50447EF644B72C2DA789A459B6D

Function 00487F2C Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 236networksleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00487F77
htons.WS2_32(00000000), ref: 00487F9B
inet_addr.WS2_32(00000000), ref: 00487FAF
gethostbyname.WS2_32(00000000), ref: 00487FC7
connect.WS2_32(000000FF,00000002,00000010), ref: 00487FEE

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,00000000,?,00000000,00461FFA), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,?,00000000,00462033), ref: 0041FEF8

Part of subcall function 00487EE4: SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 00487F18

Sleep.KERNEL32(00000064,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0048813E
send.WSOCK32(000000FF,?,00000000,00000000), ref: 004881A4
shutdown.WS2_32(000000FF,00000002), ref: 0048822C
closesocket.WS2_32(000000FF), ref: 00488235

Strings

ENDSNAP, xrefs: 004881D8
DESKTOP, xrefs: 0048802B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Thread$MessagePriorityResumeSendSleepclosesocketconnectgethostbynamehtonsinet_addrsendshutdownsocket
String ID: DESKTOP$ENDSNAP
API String ID: 932760545-2699096840
Opcode ID: 274f77465147dea2047d641798f8d10ee4cf6c573f26e1fd71b0c87a182315d8
Instruction ID: fbbc371b6da7babc7e7fba5de805cf5b325ab46e38a64bd95ffdedec6976ea4d
Opcode Fuzzy Hash: 274f77465147dea2047d641798f8d10ee4cf6c573f26e1fd71b0c87a182315d8
Instruction Fuzzy Hash: EF915274E002089FDB10FB65CC8AB9EB7B5AF44304F5044BAF504AB396DB78AE45CB58

Function 00489244 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 150networkthreadCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 004892BA
htons.WS2_32(00000000), ref: 004892DC
inet_addr.WS2_32(00000000), ref: 004892F0
gethostbyname.WS2_32(00000000), ref: 00489308
connect.WS2_32(00000000,00000002,00000010), ref: 0048932C
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
shutdown.WS2_32(00000000,00000002), ref: 00489409
closesocket.WS2_32(00000000), ref: 0048940F
RtlExitUserThread.NTDLL(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

AI, xrefs: 0048928B
DATAFLUX, xrefs: 0048934C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUserclosesocketconnectgethostbynamehtonsinet_addrsendshutdownsocket
String ID: DATAFLUX$AI
API String ID: 3056308631-1069322248
Opcode ID: 2aac826394ee2e9f95569d49ddf89aa4d8c633bf8c4c6fbc1029c09139eb1da2
Instruction ID: e94b19134a2825d7369040221fb4b3e091a3923ddeed24191365a97965517ff0
Opcode Fuzzy Hash: 2aac826394ee2e9f95569d49ddf89aa4d8c633bf8c4c6fbc1029c09139eb1da2
Instruction Fuzzy Hash: 195175B0600614ABDB10FB55CD82F9E73A8EF48704F1044BAFB05B7296DB789E428B5D

Function 0048D3C4 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows 7, xrefs: 0048D4B1
Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows Server 2003, xrefs: 0048D486
Windows 98, xrefs: 0048D4E4
Windows XP, xrefs: 0048D478
Windows 2000, xrefs: 0048D467
Windows Vista, xrefs: 0048D4A3
Unknow, xrefs: 0048D3F5
Windows 95, xrefs: 0048D4D6

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Version
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 1889659487-3783844371
Opcode ID: f363f8a68b66fb66844f20a54f2ae758c12e1c0f56a243a01e60438542fb073e
Instruction ID: efafa3d656913f47c086d577804a577f76815ad5de1f3f09d66c721075e28549
Opcode Fuzzy Hash: f363f8a68b66fb66844f20a54f2ae758c12e1c0f56a243a01e60438542fb073e
Instruction Fuzzy Hash: 4F417530F025599BDB147A6D8C81B6EB761EB44708F508877A808F73E5DA3CAD458B1E

Function 0048C494 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102filememorythreadCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000,00000000,00489C5F,?,?,00000005,00000000,00000000,?,00485721,00000000,00485755,?,?,00000005), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?,00000000,0048C5AC), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000000,.dll,?,?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,.dll,?,?,40000000,00000002,00000000,00000002,00000080), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,.dll,?,?,40000000,00000002,00000000,00000002), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,.dll,?,?,40000000,00000002), ref: 0048C535
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,.dll,?,?,40000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,.dll,?), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,Function_0008C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000,00000000,00000000,Function_0008C3E4,00000000,00000000,?,.dll,?,?,00000040,00000004,00000000,00000000,00000000,00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Resource$CloseCreateFileHandle$AllocFindLoadLocalLockPathSizeofTempThreadWrite
String ID: .dll
API String ID: 4181437036-2738580789
Opcode ID: 172676192bd48a15e25f4538ae0c5f2c57fab97685bd01033f6145ba94befb32
Instruction ID: 2d684a32aa0f3bf6099de899b5d84f1ca013df19b15e080bb526a55772640a92
Opcode Fuzzy Hash: 172676192bd48a15e25f4538ae0c5f2c57fab97685bd01033f6145ba94befb32
Instruction Fuzzy Hash: C4215371A442197AFB10BAA58C43FAF76ADDF44B14F50443AF600B61C1DA7CBD019B79

Function 004085D4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004085F8
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00408607
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3
MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MouseZ, xrefs: 004085E7
MSH_WHEELSUPPORT_MSG, xrefs: 00408602

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: bffac0ca2944af111f0aaca626089726f4c9d7f7cc5f7d605a4dcdc83858f7b1
Instruction ID: d0a151b3b5bd4fe86493293965c5d8c588d0e8c9ac58049b083f8f0e3ddb59a9
Opcode Fuzzy Hash: bffac0ca2944af111f0aaca626089726f4c9d7f7cc5f7d605a4dcdc83858f7b1
Instruction Fuzzy Hash: 81112170200305AFE7109F65CA41B6AB7A8EF55754F22483FB9C4AB2C1DEBA5C418B68

Function 00442280 Relevance: 18.5, APIs: 12, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 0905aa29309d56c5e5724bcdf27190bb67b48a3456a12131699bde8e238d7290
Instruction ID: ede02fa90f1d609892362da0619453e2b311665d98c321069f64f2548bfd4230
Opcode Fuzzy Hash: 0905aa29309d56c5e5724bcdf27190bb67b48a3456a12131699bde8e238d7290
Instruction Fuzzy Hash: 60024E71A10204AFEB10EB6DCA85B5D77F4AB14305F5505BAF904EB362DBB8AE40DB48

Function 004291D0 Relevance: 18.2, APIs: 12, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
73A0A570.USER32(00000000,00000000,004293CB,?,?,00000054,?), ref: 00429221
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
SelectObject.GDI32(?), ref: 004292DF
SetBkColor.GDI32(?), ref: 0042931A
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
DeleteDC.GDI32(?), ref: 0042937D
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Color$A570
String ID:
API String ID: 3306858847-0
Opcode ID: 56b678e6e476b2794f677a3b73cc423569be5500bb579b412db42deba11a9f0c
Instruction ID: 63b1f4329c251e8023cf45a796c31d8c1c76af58f12f1bcae7cf91cce33ab726
Opcode Fuzzy Hash: 56b678e6e476b2794f677a3b73cc423569be5500bb579b412db42deba11a9f0c
Instruction Fuzzy Hash: 92511D71F04218ABDB10EBE9DC55FAEB7BCAF08704F54446AF614E72C1D678AD008B69

Function 0047F4E0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 295networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0047F543
htons.WS2_32(00000000), ref: 0047F567
inet_addr.WS2_32(00000000), ref: 0047F57B
gethostbyname.WS2_32(00000000), ref: 0047F593
connect.WS2_32(000000FF,00000002,00000010), ref: 0047F5BA

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

shutdown.WS2_32(000000FF,00000002), ref: 0047F8B9
closesocket.WS2_32(000000FF), ref: 0047F8C2

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?,00000000,0048AE8C,?,00000001,00000000,?,0047F6FD,?,00000000,0047F749,?,000000FF,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDList.SHELL32(?,?), ref: 0048AE09

Strings

FILEEND, xrefs: 0047F7E4
QUICKUP, xrefs: 0047F5DD
PLUGIN, xrefs: 0047F527

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FolderFromListLocationPathSpecialclosesocketconnectgethostbynamehtonsinet_addrsendshutdownsocket
String ID: FILEEND$PLUGIN$QUICKUP
API String ID: 799534975-4134529074
Opcode ID: 998f738617d970be2094329e7867a189451794c4539014d258a0e86ac305f136
Instruction ID: 51ce96c1098092ccf250bfa6c83678238c8feeb2df66a5b2be934bd4070a7dd2
Opcode Fuzzy Hash: 998f738617d970be2094329e7867a189451794c4539014d258a0e86ac305f136
Instruction Fuzzy Hash: 57C16570A04219AFDB10EB55CC45BDEB3B9EF58304F5080BBB608A7292D778AE45CF59

Function 00402820 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

Unknown, xrefs: 00402A7C
An unexpected memory leak has occurred. , xrefs: 00402980
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
String, xrefs: 00402A91
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
bytes: , xrefs: 00402A4D
, xrefs: 00402B04

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: d98dbe31d933f5a7662105fcb468f2e778fe9ab2c6d0efd817a8327315cadbc5
Instruction ID: 496791c9fb10991fef7c7f523b03bfff7a95d4bb9ec06be82af5ff3dde038bcd
Opcode Fuzzy Hash: d98dbe31d933f5a7662105fcb468f2e778fe9ab2c6d0efd817a8327315cadbc5
Instruction Fuzzy Hash: 7FA1D430B042548BDF21AA2DC988B99B7E4EB09314F1441F7E449BB3C2CBBD9985CB59

Function 0047FE20 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 167networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0047FE69
htons.WS2_32(00000000), ref: 0047FE8D
inet_addr.WS2_32(00000000), ref: 0047FEA1
gethostbyname.WS2_32(00000000), ref: 0047FEB9
connect.WS2_32(000000FF,00000002,00000010), ref: 0047FEE0
send.WSOCK32(000000FF,?,00000400,00000000,?,000000FF,?,00000400,00000000,000000FF,?,00000400,00000000,000000FF,00000002,00000010), ref: 0047FFF2

Strings

AI, xrefs: 0047FFB8
UPFLUX, xrefs: 0047FF17

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsinet_addrsendsocket
String ID: UPFLUX$AI
API String ID: 3699060267-1493256192
Opcode ID: dfaee7c100c24160caf41e5b9eb2dac0fb6ac46cd5fed7960ee9fdda6f87ab9d
Instruction ID: b7191babfadc448a06c2fa94924859304e88a291c5e2e33197d2760698211c1f
Opcode Fuzzy Hash: dfaee7c100c24160caf41e5b9eb2dac0fb6ac46cd5fed7960ee9fdda6f87ab9d
Instruction Fuzzy Hash: FA513174A00608AFDB10EF55DC82F9EB7F8EF49704F5044BAF604A7291DA78AE458B58

Function 0046F17C Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C,?,00000000,?,00000000,0046F2ED), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Strings

Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Normal, xrefs: 0046F211
,, xrefs: 0046F1E1
Maximized, xrefs: 0046F1FD
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$PlacementTextVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 2923846316-511446200
Opcode ID: ca7620ef2b838701469bee390c0adac9b49d7030bcdb8755161c2745663fdc3c
Instruction ID: 4768b413c3f92b58cbc98992ebaeaf5a1acde39280e8134cd0dc30b0707b2055
Opcode Fuzzy Hash: ca7620ef2b838701469bee390c0adac9b49d7030bcdb8755161c2745663fdc3c
Instruction Fuzzy Hash: 65416474900608BEDF10EBA5E851A9F76B9DB45314F60407BF880B2285E73D9E889E5E

Function 0042E71C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: bb1c40e1e40fe5ea8981d8ce3863e0b24a774febe785fe6cb73acb90b1a5addf
Instruction ID: e6956310d25dfe635fe51df9bf9dc645aed7cc5b0bfdb5b5b2e39949136a7a88
Opcode Fuzzy Hash: bb1c40e1e40fe5ea8981d8ce3863e0b24a774febe785fe6cb73acb90b1a5addf
Instruction Fuzzy Hash: 2C312C72E00259AFDB11DAAADD459FF77FCEB49310F40413BE915E3241EB3899018BA5

Function 00482630 Relevance: 16.6, APIs: 11, Instructions: 116threadnetworksleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 004826CB
RtlExitUserThread.NTDLL(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WS2_32(00000000), ref: 004826F3
htons.WS2_32(00000000), ref: 004826FC
gethostbyname.WS2_32(00000000), ref: 0048270C
RtlExitUserThread.NTDLL(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WS2_32(00000000,00000002,00000010), ref: 0048272F
RtlExitUserThread.NTDLL(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WS2_32(00000000), ref: 00482776
RtlExitUserThread.NTDLL(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser$Sleepclosesocketconnectgethostbynamehtonsinet_addrsocket
String ID:
API String ID: 681257413-0
Opcode ID: 9bd3994d80b3de13de8329bfaa00d7a866a4eee7f27e0c96566f1dee57e50916
Instruction ID: 0be33a30a7168a946e52d020e8be30beffd6b954083bdbc56d0a3abcfca40686
Opcode Fuzzy Hash: 9bd3994d80b3de13de8329bfaa00d7a866a4eee7f27e0c96566f1dee57e50916
Instruction Fuzzy Hash: 2E411170A00608ABDB10FBA6CD82B9FB3F9DF44708F50457BB504B72D2DA789A418B59

Function 00481318 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Strings

dclogs\, xrefs: 004813DB, 0048142A, 004815C7
Bytes (, xrefs: 0048153F
FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
:: , xrefs: 00481492
FTPSIZE, xrefs: 004815F1
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3424019298-4171340091
Opcode ID: c4f74cd142afbfb1dc6b2ff528ab4f1a771df7ac5d408ff0fa9b512a621e47c2
Instruction ID: 35b805d7260a6fe87c5eaec9904f23cf78c99d644eafe8f6a33729b82c253e93
Opcode Fuzzy Hash: c4f74cd142afbfb1dc6b2ff528ab4f1a771df7ac5d408ff0fa9b512a621e47c2
Instruction Fuzzy Hash: A5914230600208ABDB01FBD5D842E9E7BB9EF45708F60883BF500B72A5D77DA9169B5D

Function 00485954 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236filewindowCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3
Beep.KERNEL32(00000000,00000000), ref: 00485C68

Strings

tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
systeminfo, xrefs: 00485A14
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: DeleteFile$BeepMessage
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 1009875511-345806071
Opcode ID: 35605ac806c6e6c0df7aea1f30d165abb8cea25106146d3ee0af70c63aa8fd39
Instruction ID: b8610570d90741432704fbe5da62b6114c0f79561c7d0df99b3aa1d2e601203f
Opcode Fuzzy Hash: 35605ac806c6e6c0df7aea1f30d165abb8cea25106146d3ee0af70c63aa8fd39
Instruction Fuzzy Hash: 9891AC74A105099FCB00FB99D5829AEB7F5EF48304B608467F900BB796D639EE018F69

Function 00462C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.COMBASE(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.COMBASE(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.COMBASE(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

|*I, xrefs: 00462D3C
)I, xrefs: 00462E4B
l)I, xrefs: 00462CB9
,*I, xrefs: 00462CC3
\)I, xrefs: 00462D10

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: ,*I$\)I$l)I$|*I$)I
API String ID: 542301482-3023651653
Opcode ID: 2c8a3f1827572771026c356a1b69bfb746972271e97e3a08649d14abf9c4534d
Instruction ID: e19e976b9b68773fa06a866662e043369aca2b2800dc5aa44595a26c5ff47f56
Opcode Fuzzy Hash: 2c8a3f1827572771026c356a1b69bfb746972271e97e3a08649d14abf9c4534d
Instruction Fuzzy Hash: 4A616A72A40A05AFDB61EF58D981F4737ECAF59314F0101B6FD04EB2A1D6B9EC048B69

Function 0048A8AC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate
String ID: D
API String ID: 415043291-2746444292
Opcode ID: 5cd9e9b814d5f853602ab11d8444d8bd60a961894b34ba5fc45cdf8a40de1e48
Instruction ID: e817184193c0c03b942df6feaf068dcea89dbf5970112bf3689cad218da2397a
Opcode Fuzzy Hash: 5cd9e9b814d5f853602ab11d8444d8bd60a961894b34ba5fc45cdf8a40de1e48
Instruction Fuzzy Hash: 1D517870D04318ABEB21EBA5CC45BDEB7B8AB08314F1045ABF514B62C1D7785B55CB1A

Function 00466D4C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0045F60D), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 00466DF3

Strings

D, xrefs: 00466E5B

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate
String ID: D
API String ID: 415043291-2746444292
Opcode ID: 8e25f129ac98a2af74fbe22f8256de9f63df749bb7f8f244f057abbdcadcc4f6
Instruction ID: 2cc22e803c6896be624e4fbc2b28d0711532e3aa6bb33fc83574ad53e660c3ef
Opcode Fuzzy Hash: 8e25f129ac98a2af74fbe22f8256de9f63df749bb7f8f244f057abbdcadcc4f6
Instruction Fuzzy Hash: 61519370E04318ABEB21DBA5CC45BDEB7B8AB08314F1045EAF518F22C1D7795B45CB1A

Function 0048B908 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?,0048BA44,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000), ref: 0048BA2A

Strings

Limited, xrefs: 0048B9A7
Full, xrefs: 0048B998
unknow, xrefs: 0048B9B6
Default, xrefs: 0048B989

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$CloseCurrentHandleOpen
String ID: Default$Full$Limited$unknow
API String ID: 434396405-3005279702
Opcode ID: e98ab3777b43703bd83954c61211922ed6540875020cd577eeac98e4cbb4028c
Instruction ID: b96fe4ddba3f969ee1a658b8c7442e4488c28be40354120335758c9657957b45
Opcode Fuzzy Hash: e98ab3777b43703bd83954c61211922ed6540875020cd577eeac98e4cbb4028c
Instruction Fuzzy Hash: EB416375A04609EFDB05FB95C8419AFB7B9EB44304F508877E900A3684D73CAA05DB99

Function 00483468 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118networkthreadCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000000,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

RtlExitUserThread.NTDLL(00000000, Times.,?,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000,00000000,004835BF), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
Times., xrefs: 0048357D
BTRESULTVisit URL|finished to visit , xrefs: 00483558

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$ExitThreadUsersend
String ID: Times.$BTRESULTVisit URL|finished to visit $H4H$myappname
API String ID: 3039500454-1696038370
Opcode ID: 95f3495bc1fd2ed96fde18f6bdb763fc9107a9d67400c539238762eafd59d53a
Instruction ID: 9acfa86b35768e9f0b1189a3f7144397f4aa44dc505a2439edd4324a26b71e15
Opcode Fuzzy Hash: 95f3495bc1fd2ed96fde18f6bdb763fc9107a9d67400c539238762eafd59d53a
Instruction Fuzzy Hash: 72418670B00608AFDB11EF65DC52F5EB7F9EB48B04FA044BAB504B3281D6789A448F1C

Function 00475BD8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 118COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00000000), ref: 00475D2E
GetCurrentProcessId.KERNEL32(00000000,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Part of subcall function 00484388: OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
Part of subcall function 00484388: GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
Part of subcall function 00484388: TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
Part of subcall function 00484388: CloseHandle.KERNEL32(00000000,004843E7,004843E0,?,00000001,00000000,00000000), ref: 004843DA

Strings

HKCU, xrefs: 00475C73
KEYNAME, xrefs: 00475C61
notepad, xrefs: 00475D1C
INSTALL, xrefs: 00475C45, 00475C80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00475C6E
cmd.exe, xrefs: 00475C06, 00475C15
notepad.exe, xrefs: 00475C25, 00475C34

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Process$CloseCodeCurrentExitHandleOpenTerminateclosesocket
String ID: HKCU$INSTALL$KEYNAME$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$cmd.exe$notepad$notepad.exe
API String ID: 1670311568-510231361
Opcode ID: ab6da3c05fde2bb65ff1431237b14476660256d48494369583b3202a6be6a1eb
Instruction ID: 5436a74f6f9e389a6a853b2f59f3f34778588aef63ff4b707e578e357af83887
Opcode Fuzzy Hash: ab6da3c05fde2bb65ff1431237b14476660256d48494369583b3202a6be6a1eb
Instruction Fuzzy Hash: 8931E430604F449EDB21BBB689066DE7368DB45304B90C83BF80C9E642DAFD9901967E

Function 0046F3B8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110COMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C,?,00000000,?,00000000,0046F519), ref: 0046F429

Strings

Normal/Unactive, xrefs: 0046F489
Maximized, xrefs: 0046F439
Show/Unactive, xrefs: 0046F475
False, xrefs: 0046F4D6
Normal, xrefs: 0046F44D
,, xrefs: 0046F41D
Minimized, xrefs: 0046F461

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$PlacementText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 29908588-3661939895
Opcode ID: c952794d25804e356698621d42fc77dd4c8f063034a3f45e57410c79a7368757
Instruction ID: 1ebd0148d9e47f58defe53e300c6861d9f7041bc1cac8e0206192933632317c6
Opcode Fuzzy Hash: c952794d25804e356698621d42fc77dd4c8f063034a3f45e57410c79a7368757
Instruction Fuzzy Hash: 00315970A00208BEDF10EEA5E84299F77B9DB55314F604077F441B2A46EB3C9E499A5B

Function 0041FD2C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041FD39
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0041FD84
RtlEnterCriticalSection.NTDLL(004999D0), ref: 0041FDAC
RtlLeaveCriticalSection.NTDLL(004999D0), ref: 0041FE23
WaitForSingleObject.KERNEL32(?,000000FF,00000000,0041FE5C,?,004999D0,00000000,0041FE7B,?,004999D0,00000000,0041FEA2), ref: 0041FE3F
RtlEnterCriticalSection.NTDLL(004999D0), ref: 0041FE56

Strings

4PI, xrefs: 0041FD3E
\tA, xrefs: 0041FDD4

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID: 4PI$\tA
API String ID: 1504017990-2555596473
Opcode ID: 699add66cfc5c1a546ea256eb7318c36655a720336dc8ee65dce3a5f0a19966a
Instruction ID: 6ecddfbed167c30d3b6a2ba75b467dd7d5a4ef8dd7646cfe1292a76b632e5a0c
Opcode Fuzzy Hash: 699add66cfc5c1a546ea256eb7318c36655a720336dc8ee65dce3a5f0a19966a
Instruction Fuzzy Hash: 8E41E334A04204AFDB01DF69D892F9ABBB0EB09314F2585B7F810A73E1D2786D45DB59

Function 0048BDD4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048BE01

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000,00000000,00489C5F,?,?,00000005,00000000,00000000,?,00485721,00000000,00485755,?,?,00000005), ref: 00489BEC

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000,0048BEC8,?,?,?,?,00000000,00000000,00000000), ref: 0048BE42
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000,0048BEC8), ref: 0048BE52
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000,0048BEC8), ref: 0048BE5B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00000000), ref: 0048BE61
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000080), ref: 0048BE68
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002), ref: 0048BE6E
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0048BEA8

Strings

open, xrefs: 0048BEA1

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Resource$File$CloseCreateExecuteFindHandleLoadLockPathShellSizeofTempWrite
String ID: open
API String ID: 3695355325-2758837156
Opcode ID: 84ffd76be853ab9c6405f1b094a76dc14c66fdc70abd0f1d84ba6f869d33b198
Instruction ID: 43799e2b1c38d44b387fd2260005e8023c2738a30ee5bcac768a912206ce1f91
Opcode Fuzzy Hash: 84ffd76be853ab9c6405f1b094a76dc14c66fdc70abd0f1d84ba6f869d33b198
Instruction Fuzzy Hash: 5D214F71A442087EE710FBA18C43FBF776CDF45714F50443AB600B61C2DA78AD048AB9

Function 00455EE8 Relevance: 15.2, APIs: 10, Instructions: 231windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00456000
SaveDC.GDI32(?), ref: 00456023
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00456063
RestoreDC.GDI32(?,00455EAF), ref: 0045608F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Rect$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 1976014923-0
Opcode ID: 302d3445eb35f344943271f76171046b7a78bcd8011980b810a40f27115c4e32
Instruction ID: 6b1bab20f6622f3c7de5a7da467ef4f255f77b2f8cc452f27cf9149d9c103c32
Opcode Fuzzy Hash: 302d3445eb35f344943271f76171046b7a78bcd8011980b810a40f27115c4e32
Instruction Fuzzy Hash: 8E911A71A002489FDB05DF99C485FAEBBF5AF08304F1544AAEA04EB396D739ED84CB54

Function 00456278 Relevance: 15.2, APIs: 10, Instructions: 197COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303
SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3

Part of subcall function 004561C8: SaveDC.GDI32(?), ref: 004561D8
Part of subcall function 004561C8: ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0045625E,?,?), ref: 00456219
Part of subcall function 004561C8: RestoreDC.GDI32(?,?), ref: 00456258

SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C
RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Rect$ClipWindow$Intersect$LongRestoreSave$DrawEdgeExclude
String ID:
API String ID: 3997055466-0
Opcode ID: 3b7d523e932b42692fd9767136263b0deb8b2cdb8b0c873496559cd326214015
Instruction ID: bc8c08a30705a648f3c0ee3797e460638e083646ba0508a3aa660b25b454cb0d
Opcode Fuzzy Hash: 3b7d523e932b42692fd9767136263b0deb8b2cdb8b0c873496559cd326214015
Instruction Fuzzy Hash: 83711F75A00209AFDB00DB99C981F9EB7B9AF48304F51419AF900E7392D778AE45CB54

Function 004328FC Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00432A57,?,00000000,?,?,?,00000000,?), ref: 00432A13

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffset
String ID:
API String ID: 239630386-0
Opcode ID: c62bb7f6d1ddd562bc9a4e327f4f8333aff447e7fef4794d3d367fcbc27dcffe
Instruction ID: 47c1cbc41cf51a97151adcc7d9c98bfe2d9ebf44448c518fa4ffad7f7cf84421
Opcode Fuzzy Hash: c62bb7f6d1ddd562bc9a4e327f4f8333aff447e7fef4794d3d367fcbc27dcffe
Instruction Fuzzy Hash: 6E415171A00509ABCB00EAE9CE42EDFB7BDEF49315F10016AF914F7281DE789E458768

Function 0043F2B8 Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC,00000000,000000F0), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC), ref: 0043F440

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Long$Window$ClassMessageSend$MenuSystem
String ID:
API String ID: 494549727-0
Opcode ID: ed5950b7513ab977bace3757989dcf4a3624f85c4cc875f857bb5c37b5fc2fad
Instruction ID: 31ba2022adaebc7c5454a2c3e9b048a584a8924d3ab32279ab6cf42859ad06cc
Opcode Fuzzy Hash: ed5950b7513ab977bace3757989dcf4a3624f85c4cc875f857bb5c37b5fc2fad
Instruction Fuzzy Hash: A041D2A070824276C611733A8C46BBF66491FA1319F18462EF8A4BB2D3DE7C9849935E

Function 004035C4 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32(?,000000F5), ref: 00403735
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 3c59c421baf084b5402e12b6d9ea479adb88dd9353cbee7bf8cbef23f48ab899
Instruction ID: 75c841ba4a36448c979fa12aada2731fe230a3b4169333e97607d36735e9785c
Opcode Fuzzy Hash: 3c59c421baf084b5402e12b6d9ea479adb88dd9353cbee7bf8cbef23f48ab899
Instruction Fuzzy Hash: 274172F0100700AAE730AF2989157637E98AB40715F20CE3FE496B76E1D77DAA45874D

Function 004821A0 Relevance: 15.1, APIs: 10, Instructions: 112threadnetworksleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000000), ref: 0048223B
RtlExitUserThread.NTDLL(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WS2_32(00000000), ref: 00482263
htons.WS2_32(00000000), ref: 0048226C
gethostbyname.WS2_32(00000000), ref: 0048227C
RtlExitUserThread.NTDLL(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WS2_32(00000000,?,?,00000000,00000002,00000010), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WS2_32(00000000), ref: 004822D0
RtlExitUserThread.NTDLL(00000000,00000000,000003E8,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D7

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExitThreadUser$Sleepclosesocketgethostbynamehtonsinet_addrsendtosocket
String ID:
API String ID: 2434912527-0
Opcode ID: dc2b18d090f96f50001781a49c1916779bf8e014fcf552723931d7593c2535bd
Instruction ID: 54d30ec4a33870b5ffb2ae8f4417bf7d68c57728b1a7ca45fc5f0cbf2655ad28
Opcode Fuzzy Hash: dc2b18d090f96f50001781a49c1916779bf8e014fcf552723931d7593c2535bd
Instruction Fuzzy Hash: 50412370A00608AFDB10FBA5C942B9FB3B8EF44704F50457BF904B72D2DA78AE018B59

Function 0044155C Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 64978b088510bca8045298f4beebeb97328a657705bac038d36d957966bd8c36
Instruction ID: 552ce7ce67e27a723339bed75d044a5a00990493b53a2f8ca8fffe2ebb762983
Opcode Fuzzy Hash: 64978b088510bca8045298f4beebeb97328a657705bac038d36d957966bd8c36
Instruction Fuzzy Hash: EF213670384704BBE7309625CD8EF597BD86B14709F0580BDB6897F2D3CAB8E988461C

Function 00429FE4 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 351COMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000,?,00000000,0042A505,?,?), ref: 0042A252
SelectObject.GDI32(?,00000000), ref: 0042A2D6
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042A38F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042A344
SelectObject.GDI32(?,?), ref: 0042A383
DeleteObject.GDI32(00000000), ref: 0042A389

Strings

(, xrefs: 0042A19D
BM, xrefs: 0042A108

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$Select$A570DeleteErrorLast
String ID: ($BM
API String ID: 2612784382-2980357723
Opcode ID: 895dfda919fa588d9196c89d0cfc3d733bd05c266270671261156b86dde51a39
Instruction ID: 24cf4028bdda640bb24370e5a5a8d260a52f2390f1075e60c82c5e2027258d8d
Opcode Fuzzy Hash: 895dfda919fa588d9196c89d0cfc3d733bd05c266270671261156b86dde51a39
Instruction Fuzzy Hash: 6FD14B70B002189FDF14DFA9D885AAEBBB5FF48314F54846AF900E7395D7389850CB6A

Function 0040281E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
bytes: , xrefs: 00402A4D
, xrefs: 00402B04

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 6b0f9a5b781bc5e2afbc579dbb1cc35cb3e841a7c806f8fbee9488eb84cc441a
Instruction ID: 720d71dd93e16757c094652892308823067c6484f77dd192ad315921d69cc0b3
Opcode Fuzzy Hash: 6b0f9a5b781bc5e2afbc579dbb1cc35cb3e841a7c806f8fbee9488eb84cc441a
Instruction Fuzzy Hash: E471A430B042548BDF21AA2DC988B99BBE4EB09714F1041F7E449F72C2DBBD4A85CB59

Function 004710F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001,00000000,00000005,Shell_TrayWnd,00000000,00000000,004711BA), ref: 0047117C
ShowWindow.USER32(00000000,00000000,00000000,00000005,Shell_TrayWnd,00000000,00000000,004711BA), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Show$ClassFindName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2018406990-3627955571
Opcode ID: e1eb90fdc09cf4d79db6b5060a49001a14a1470a7d597967df34821b104f8e66
Instruction ID: f5034e82b016deeceec447be7542654671e55c36f1127998497d17e1e0968a59
Opcode Fuzzy Hash: e1eb90fdc09cf4d79db6b5060a49001a14a1470a7d597967df34821b104f8e66
Instruction Fuzzy Hash: 8E11EB30A40A1466D721E6658D03BDE72A8EF48714FD0C17BF548BA1D2EE3C5E05475C

Function 0040DA34 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: LPI
API String ID: 185507032-863635926
Opcode ID: d3f39fb5fbcde67155afe4d72b2c4e48e1d6f5154563cf0cada33c316f953f6e
Instruction ID: 78887651d415d93412bd23f9bad78e48ae5f65dc72d453059ea476f9ca3cc0c1
Opcode Fuzzy Hash: d3f39fb5fbcde67155afe4d72b2c4e48e1d6f5154563cf0cada33c316f953f6e
Instruction Fuzzy Hash: 70113DB29482046EE200F7A5CC42F9B77ECAF55704F40453BB754E60E2DA78E9458B6A

Function 0045049C Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004504D7
MulDiv.KERNEL32(?,?,?), ref: 004504F1
MulDiv.KERNEL32(?,?,?), ref: 0045051F
MulDiv.KERNEL32(?,?,?), ref: 00450535
MulDiv.KERNEL32(?,?,?), ref: 0045056D
MulDiv.KERNEL32(?,?,?), ref: 00450585

Part of subcall function 00424A40: MulDiv.KERNEL32(00000000,00000048,?), ref: 00424A51

MulDiv.KERNEL32(?), ref: 004505DC
MulDiv.KERNEL32(?), ref: 00450606
MulDiv.KERNEL32(00000000), ref: 0045062C

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fcfd80e463b8ca928775a9cb391cc0adbffc0cab59597b8fed37293dbbe765
Instruction ID: ff0af292283aebd12ba6b1737bf521e2d4a28c9f36469396836769f26dbf1ff6
Opcode Fuzzy Hash: 43fcfd80e463b8ca928775a9cb391cc0adbffc0cab59597b8fed37293dbbe765
Instruction Fuzzy Hash: AA517C74608754AFD320EB69C840B6BB7E9AF89305F044C1EBED5C7352D639E849CB29

Function 004840D8 Relevance: 13.6, APIs: 9, Instructions: 150COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484255

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Token$AccountCloseHandleInformationLookupOpenProcess$ErrorLast
String ID:
API String ID: 2622969909-0
Opcode ID: 514bf88b30820402c0140000f7026fd75c9fbcb622a42365a0d5b89b9b6ad4b2
Instruction ID: 9380d259a9f08b61f6ae00aa3dbdd2b35d79eeb890988b6a10cd753b18b9dc56
Opcode Fuzzy Hash: 514bf88b30820402c0140000f7026fd75c9fbcb622a42365a0d5b89b9b6ad4b2
Instruction Fuzzy Hash: B151FC71A04209AFDB10EBA5C885FEFB3F9EB49304F144566F510F7291D778AD048B69

Function 00425B28 Relevance: 13.6, APIs: 9, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00425B69
73A0A570.USER32(00000000,00000000,00425C76,?,00000000,00000000), ref: 00425B8C
SelectObject.GDI32(?,?), ref: 00425BFA
SelectObject.GDI32(?,00000000), ref: 00425C09
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00425C35
SelectObject.GDI32(?,00000000), ref: 00425C43
SelectObject.GDI32(?,00000000), ref: 00425C51
DeleteDC.GDI32(?), ref: 00425C67
DeleteDC.GDI32(?), ref: 00425C70

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$A570Stretch
String ID:
API String ID: 1268976527-0
Opcode ID: 8f69df34464a280598da0626fd4e1fd4675af0d5db5e42a9a2794f1d043afd85
Instruction ID: c2f83d4dfc6a8875747cc31697ec1f6be9fd5449ac02643b06bd0c8eab73a249
Opcode Fuzzy Hash: 8f69df34464a280598da0626fd4e1fd4675af0d5db5e42a9a2794f1d043afd85
Instruction Fuzzy Hash: 1F411A71E04619AFDB10EBE9D842FAFB7BCEF08704F500466F610F7281D67869008B69

Function 00465598 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,004657D8), ref: 00465607
IsBadReadPtr.KERNEL32(?,00000014), ref: 004657A9

Strings

BuildImportTable: GetProcAddress failed, xrefs: 0046577C
BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: LibraryLoadRead
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1452896035-1384308123
Opcode ID: 6aa059c455888908d262b2dad884aea557a1c1401c9c0ee8554390a8e8e6b66d
Instruction ID: fc7096757c938c905de0045d191350aedab49c8624d725e2722edfb242ce8ecf
Opcode Fuzzy Hash: 6aa059c455888908d262b2dad884aea557a1c1401c9c0ee8554390a8e8e6b66d
Instruction Fuzzy Hash: E2617570A00A04DFDB10EB69C881BAAB7F9EF48718F00C4AAB455DB751E778ED41CB56

Function 00482E34 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00483104,?,00483104,?,00483104,?,?,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Strings

LanList, xrefs: 0048306B
127.0.0.1, xrefs: 00482E9D
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Sleep$CreateThread
String ID: .255$127.0.0.1$LanList
API String ID: 3220764680-2919614961
Opcode ID: 39321ad9c43a7aed64eb5cb581981285699f2c1607fc88c75ec9ff32666b745d
Instruction ID: 78557ba10ca83d90213baf83ef5822c4bd7a92da1d7b56c00256e640220ce7ce
Opcode Fuzzy Hash: 39321ad9c43a7aed64eb5cb581981285699f2c1607fc88c75ec9ff32666b745d
Instruction Fuzzy Hash: 01618530B00108AFDB01FB95D891BAFB7B5EB49B05F10847BF500B7295DA78AE05CB59

Function 00454934 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 07524fccf5f8ed6b2e5ca9ac7e8a6429da9d63d9464425a53db4cacc3fe69124
Instruction ID: add7cf6bff182410af35e72f1b44c65e24ea4e07af845d2f3adeee9c8dd83fa8
Opcode Fuzzy Hash: 07524fccf5f8ed6b2e5ca9ac7e8a6429da9d63d9464425a53db4cacc3fe69124
Instruction Fuzzy Hash: 0E5183706003549BDB20EBB9CC41B9B73B9AF85309F00457EE845EB392DB78AD49CB59

Function 00427D18 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00427DBA
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00427DD7
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00427E03
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00427E23
DeleteEnhMetaFile.GDI32(00000016), ref: 00427E44
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00427E57

Strings

`, xrefs: 00427D9F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: a7e3d36f563d212234cec749c7afc4863b32fe3665694ec03a7e7adec4e7c7c2
Instruction ID: e3ff62f78798f2701d2e51da18529d582c44337715d3bfeb743cae8cd290645b
Opcode Fuzzy Hash: a7e3d36f563d212234cec749c7afc4863b32fe3665694ec03a7e7adec4e7c7c2
Instruction Fuzzy Hash: 5A411C71E04218AFDB00DFA5D485AAEB7F9EF48710F50856AF904F7241E738AD40CB69

Function 0048AC14 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

Strings

OpenProcessToken error, xrefs: 0048AC60
GetTokenInformation error, xrefs: 0048AC86

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: LookupNamePrivilegeProcessToken$CurrentDisplayInformationMessageOpen
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 3196225041-1842041635
Opcode ID: 64fea5a6abf8e037567579d72d0fa10bdc8dd24788d4b14ee9eda7e6a2843a19
Instruction ID: 3878a87cca9874fde37a330f4442285d0f87575cb7bda5b4bbe82b63adc5078a
Opcode Fuzzy Hash: 64fea5a6abf8e037567579d72d0fa10bdc8dd24788d4b14ee9eda7e6a2843a19
Instruction Fuzzy Hash: 6C317F71A00609ABEB00FB99C845AAFB7F9EF48304F54447BF500F7281D6789E059B6A

Function 0041F7B4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE

Part of subcall function 0041F768: ResetEvent.KERNEL32(00000238,0041F809), ref: 0041F76E

RtlEnterCriticalSection.NTDLL(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
RtlLeaveCriticalSection.NTDLL(004999D0), ref: 0041F888
RtlEnterCriticalSection.NTDLL(004999D0), ref: 0041F8F7

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: 4PI
API String ID: 2189153385-1771581502
Opcode ID: 09ff975300d849943e3fcd04de3a87dc99c31ced76aeb7c098c280148ab32fa2
Instruction ID: 337109815828baa05acd0f74cbcbae9347e21aa764477ecd5701fe5bfbdf0f90
Opcode Fuzzy Hash: 09ff975300d849943e3fcd04de3a87dc99c31ced76aeb7c098c280148ab32fa2
Instruction Fuzzy Hash: BF31F570A14304AFD701EF69C852BAEB7F4EB49704F61847BF400E26A1D73C6D86CA29

Function 0042E4A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

Strings

GetMonitorInfo, xrefs: 0042E4B8
DISPLAY, xrefs: 0042E539

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: e852520c5424640a3b2f8fd5c4260c12b85e4800785811b7a0e8dbb9e876f0df
Instruction ID: 456d4176f5ccada5d366c8f7b6d565fe28fa6be8b4654b750548c457f7b91245
Opcode Fuzzy Hash: e852520c5424640a3b2f8fd5c4260c12b85e4800785811b7a0e8dbb9e876f0df
Instruction Fuzzy Hash: 13110331710321AFE720CFAAAC417A7B7A8FF45324F40453FF85597640E774A8808BA8

Function 0042E574 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
DISPLAY, xrefs: 0042E60D
tB, xrefs: 0042E591, 0042E59E, 0042E5A5

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 2545840971-2667026318
Opcode ID: 4e1fa72082cf4869a546b406cddb919f75edc9635d85cb29e06c52c56970664b
Instruction ID: 24d26b85717cd816e1945aa7207ac766b393cffdb44520f45589ec4d3f3fbf9d
Opcode Fuzzy Hash: 4e1fa72082cf4869a546b406cddb919f75edc9635d85cb29e06c52c56970664b
Instruction Fuzzy Hash: 6A1106317003209FD7208F6AAC447A7B7A9EB56711F80493FEC459B740D375A8448FA9

Function 0042E648 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E6E1
GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 2545840971-4264061949
Opcode ID: 4e7f2b4a8317ed2c04ffb1e0f1bd1b0aa7a0f9993e4ae3b5d3e5a6fb2dca36c3
Instruction ID: 21b644052e4ba1544673feaddbb0c8192536a1f4c2fb5b1bbf4850f28cb0aa70
Opcode Fuzzy Hash: 4e7f2b4a8317ed2c04ffb1e0f1bd1b0aa7a0f9993e4ae3b5d3e5a6fb2dca36c3
Instruction Fuzzy Hash: 5B11A2317003219FD720CF6AAC45BA7B7A8EB55750F80053FF85697641D7B4A844CBA9

Function 004052FC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,00000000,00000000,?,00000002,0040546E,00403003,0040304A,00000000,?), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,00000000,00000000,?,00000002,0040546E,00403003,0040304A,00000000), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,00000000,00000000), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,00000000,00000000), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 27150f117657527c5bd09bf0f1f1545a92ea8b80ab116458a7641c4d609dd0b4
Instruction ID: 76f3b1a99dd541255ef07f31c01649d9a0dbcbd5632e181e69c4d7c91aea6cb3
Opcode Fuzzy Hash: 27150f117657527c5bd09bf0f1f1545a92ea8b80ab116458a7641c4d609dd0b4
Instruction Fuzzy Hash: B5F06D65684B4178EB1173A46C46F5B26589714B68F6046FFB620B80F296FC44C08B6E

Function 004296E0 Relevance: 12.2, APIs: 8, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429D5C: 73A0A570.USER32(00000000,?,?,?,?,0042889B,00000000,00428927), ref: 00429DB2
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042889B,00000000,00428927), ref: 00429DF5

GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectObject.GDI32(?,?), ref: 0042983F
SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: BrushModeObjectSelectStretch$A570CreateDeleteHalftonePalette
String ID:
API String ID: 3467007361-0
Opcode ID: a387074c04359e8af01a2fe67e6a1ab255f0d74921970ce0f5c7fa4d7ecd11b1
Instruction ID: c195afdf496357cbd99ba5c4060dcec9e593aa20b2bbb46d4828fe4d7254503d
Opcode Fuzzy Hash: a387074c04359e8af01a2fe67e6a1ab255f0d74921970ce0f5c7fa4d7ecd11b1
Instruction Fuzzy Hash: AB7159B5B04215AFCB10DFA9C985F5AB7F8AF08300F5484AAF508E7392D638ED40CB94

Function 00442C9C Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 86a969c7f8da45f73aa07e181b4ea3c8b3707a2cad9e43eae031c4b5b1df55d4
Instruction ID: 2f1b271766376fa3c053c9bfcccb2958eddad417a10fa4b06557aab8cee9ce41
Opcode Fuzzy Hash: 86a969c7f8da45f73aa07e181b4ea3c8b3707a2cad9e43eae031c4b5b1df55d4
Instruction Fuzzy Hash: 52514370A00644AFEB11EF69CE46B9D77F1EF44704F5544BAF400AB2A2DB78AD44DB48

Function 0046E0DC Relevance: 12.1, APIs: 8, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Open$CloseDeleteValue
String ID:
API String ID: 2215348558-0
Opcode ID: 8b6b2314fb6bd852eb358ef415d35007767ec2a8dd2c8354f205172ac6cdf404
Instruction ID: 0d0defd982c84b28728134ce3f8e850540e1230505d603c4eecc2b5e28cb9dd2
Opcode Fuzzy Hash: 8b6b2314fb6bd852eb358ef415d35007767ec2a8dd2c8354f205172ac6cdf404
Instruction Fuzzy Hash: 1A31FBB1A04608EEE701EA96CC52FBF77ACEB04714F60046BB610B75C2D6786D01DA6A

Function 004462F4 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0044631A
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,02378130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,02378130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,02378130,?), ref: 004463D4

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: b9d9bcca683b51d8ae5a5a0740192773cdcc830a3b6823dc7ba5c0061f55f824
Instruction ID: 13867d2a231eb5f4ff3656b45f74faf81ae527ad78ffc0860992d4fb68bf68a9
Opcode Fuzzy Hash: b9d9bcca683b51d8ae5a5a0740192773cdcc830a3b6823dc7ba5c0061f55f824
Instruction Fuzzy Hash: 7521AD71204648AFE660FE5ACA81E6B73DD9F06314F15443EFD99D3642EA68FC00876E

Function 0046E244 Relevance: 12.1, APIs: 8, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Open$CloseDelete
String ID:
API String ID: 3718852434-0
Opcode ID: b5f856d402cd9e412ace6a534cb2575ac9d81021cc551ea9bf5a79f107e4064f
Instruction ID: 324e92aa9deaf5a12c1b943c00b2839a1683a30f452a5a5e905a59a16d4b980d
Opcode Fuzzy Hash: b5f856d402cd9e412ace6a534cb2575ac9d81021cc551ea9bf5a79f107e4064f
Instruction Fuzzy Hash: BC3112B4A04608FEE701E696CC42F7F77ACDB04714F604067BA00B76C2E7785D41CA5A

Function 00401F8B Relevance: 10.9, APIs: 7, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaf3a952b1afae5927fc137353aed0e55f18229a27538bba72325b71fb8a0d3
Instruction ID: 5bd92071042cbb3672ae29785d687eb903e89485942fd4179da11cf124cd87ab
Opcode Fuzzy Hash: ebaf3a952b1afae5927fc137353aed0e55f18229a27538bba72325b71fb8a0d3
Instruction Fuzzy Hash: E7B159727107000BD7159ABD9D8876AB3C19BC0325F28827FF604EB3E6DABCC9458358

Function 00434550 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

,, xrefs: 00434600
?, xrefs: 00434607

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: d0caef3cf46ac8a557962603bc65c22dfc050fa75b1ffcd56991762ebc954d8a
Instruction ID: 84b8b59cc77567219983042769a44960b1f0fe195c185aa27248aa5cc96d9529
Opcode Fuzzy Hash: d0caef3cf46ac8a557962603bc65c22dfc050fa75b1ffcd56991762ebc954d8a
Instruction Fuzzy Hash: 8F61E234904244AFDB00EF69D9826AA77F9AF4A314F54517BF940A7396D73CEE00CB68

Function 00488F80 Relevance: 10.7, APIs: 7, Instructions: 169COMMON

Download Yara Rule

APIs

SetCursorPos.USER32(00000000,00000000,?,?,?,00000000,0048916A,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004890E0
mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: mouse_event$Cursor
String ID:
API String ID: 930491299-0
Opcode ID: a1a94421c1cb220ceb425be68ae3d4e2083a1e0f8bba6155c0dfd86be6771a44
Instruction ID: 2942b52aaad0b5401ecbc9f6a8dd5ff6b056584561b49769336fe13875f60f22
Opcode Fuzzy Hash: a1a94421c1cb220ceb425be68ae3d4e2083a1e0f8bba6155c0dfd86be6771a44
Instruction Fuzzy Hash: 80515E30740609BBEB14F6A9DD47BAE73A5DB48704F34443AB504BB2D2DA78BE009B5D

Function 00459DC8 Relevance: 10.7, APIs: 7, Instructions: 162COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00459FAC), ref: 00459EAD
GetTickCount.KERNEL32 ref: 00459EB2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00459EF6
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00459F0E
AnimateWindow.USER32(00000000,00000064,?), ref: 00459F53
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00459FAC), ref: 00459F76

Part of subcall function 0045D588: GetCursorPos.USER32(?), ref: 0045D58C

GetTickCount.KERNEL32 ref: 00459F93

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: aa14a5b9b66d5ffca03ecf7fe8ed1f1a39584a83342b2a9436fbcdb81203739a
Instruction ID: b53e01449b071247014518636bdbe8eca2e9b90678afcd3b34df346eefcdc5f2
Opcode Fuzzy Hash: aa14a5b9b66d5ffca03ecf7fe8ed1f1a39584a83342b2a9436fbcdb81203739a
Instruction Fuzzy Hash: 7E514E74A00205EFDB10DF99C982A9EB7F5EF44305F2041AAE900EB392D778AE45DB58

Function 00446834 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004468EE
MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,004469A3,?,00000000,0044699C), ref: 0044697D
SetActiveWindow.USER32(00000000,004469A3,?,00000000,0044699C), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Active$LastMessagePopupRect
String ID: (
API String ID: 3456420849-3887548279
Opcode ID: 2170b5857a065a963d76b73bbb908134d8a6a1db87677a3c5f78d7cd79966a58
Instruction ID: 42eed2a894508410f77d993bec14c055e9d3e175a50d70d66cb23c42a0f64e55
Opcode Fuzzy Hash: 2170b5857a065a963d76b73bbb908134d8a6a1db87677a3c5f78d7cd79966a58
Instruction Fuzzy Hash: 23510CB5E00108AFEB04DBA9DD81FAEB7B8FB49304F55446AF500E7391D774AD008B54

Function 00455D50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00455D7B
SaveDC.GDI32(00000000), ref: 00455DB4
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,00455E72,?,00000000), ref: 00455E36
RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
EndPaint.USER32(00000000,?,00455EB6), ref: 00455EA9

Strings

C, xrefs: 00455D5F, 00455E93

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID: C
API String ID: 3808407030-2515487769
Opcode ID: 888a879ae99cbd7647c9a7e1035508b39fe22815fd165fdbe5a34adac1fe7c2e
Instruction ID: e001a26d531563fa23fdc803b396fbfa676b07fad10f8407f7f1d2b29e1fb75b
Opcode Fuzzy Hash: 888a879ae99cbd7647c9a7e1035508b39fe22815fd165fdbe5a34adac1fe7c2e
Instruction Fuzzy Hash: D0416070904648DFDB04DB94C86AFBEB7F4EF49305F1544AAE904973A2D778AE44CB44

Function 00443FF8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,004441A3,?,0237F360,?,00444205,00000000,?,004535D7), ref: 0044404E
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004440B6
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0044415F,?,80000002,00000000), ref: 004440F0
RegCloseKey.ADVAPI32(?,00444166,00000000,?,00000100,00000000,0044415F,?,80000002,00000000), ref: 00444159

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004440A0
layout text, xrefs: 004440E7

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: c6432470b7be4713b8879043ef602826cba518c5e4738e84ecc5872081b1ac54
Instruction ID: a9d280ae9ca0cb7535a0fb6f98684f98e26f6f05a10c65fd5f5b626f0ad54445
Opcode Fuzzy Hash: c6432470b7be4713b8879043ef602826cba518c5e4738e84ecc5872081b1ac54
Instruction Fuzzy Hash: 26416C74A00609AFEB10DF55CD85B9EB7F8EB88304F5040A6E904E7391D738AE44CB69

Function 00451458 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045148F
SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ObjectSelect$DesktopWindow
String ID:
API String ID: 2666862715-0
Opcode ID: 9184ead9b5e56207c9c1889c545010ee8ad39081a282cccd7d10f9368b9e6461
Instruction ID: f45762fa14ff2fc965c7ee9ec3915ddbddd17c45d0235e4fafe665391fa36151
Opcode Fuzzy Hash: 9184ead9b5e56207c9c1889c545010ee8ad39081a282cccd7d10f9368b9e6461
Instruction Fuzzy Hash: 47310976E00219BFDB00DEEDCD85EAFBBBDAF49704B404469B504F7241C679AD058BA4

Function 0046DF5C Relevance: 10.6, APIs: 7, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(80000000,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00000000,0046E0CE), ref: 0046DFD7
RegCreateKeyExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,80000000,00000000,00000000,00000000,00000000,00020006,00000000), ref: 0046E002
RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,80000001,00000000,00000000,00000000,00000000,00020006,00000000), ref: 0046E02D
RegCreateKeyExA.ADVAPI32(80000003,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,80000002,00000000,00000000,00000000,00000000,00020006,00000000), ref: 0046E055
RegCreateKeyExA.ADVAPI32(80000005,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,80000003,00000000,00000000,00000000,00000000,00020006,00000000), ref: 0046E07D
RegCreateKeyExA.ADVAPI32(80000006,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,80000005,00000000,00000000,00000000,00000000,00020006,00000000), ref: 0046E0A5
RegCloseKey.ADVAPI32(?,00000000,0046E0CE), ref: 0046E0AE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Create$Close
String ID:
API String ID: 2684088411-0
Opcode ID: 535f876901661327ebb3f6d24e7aabe520628f23553f163764c067a39374f371
Instruction ID: 79eda703fa904f021ee76264a421b81fdcdbdeb9f81b8cb632efd02e44c44320
Opcode Fuzzy Hash: 535f876901661327ebb3f6d24e7aabe520628f23553f163764c067a39374f371
Instruction Fuzzy Hash: C831E375B84718BEF620E695DC43F6F77A9DB04B14F704066B701BA1C2D6B46D00C76A

Function 00446524 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583
TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 89415d6b3f9b761de0f341790fedd2f27846a16c3b0d3cdcf15f79df058f7dc4
Instruction ID: e1c1aeb17a52bbcef9af639f6a3ee2d69bf8a5c229f36a97b83069c848892604
Opcode Fuzzy Hash: 89415d6b3f9b761de0f341790fedd2f27846a16c3b0d3cdcf15f79df058f7dc4
Instruction Fuzzy Hash: E521D23070474075FB3136291D42BABAB994FD3B48F17446FF981A62CACEBE9846811F

Function 004282D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
73A0A570.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0042840B,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004283EB,?,?,00000000,00000000,00000008,?,00000000,0042840B), ref: 004283A7

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: BitsFileMeta$A570
String ID: `
API String ID: 2497453717-2679148245
Opcode ID: 1b5c98303e53a6854ef7c32807cf423d83e0e83dc439d022958a30544264a49e
Instruction ID: 51eeb2669b08d6c6b0e11feb4cea8572e5981be65c445000373ac7e6655679c9
Opcode Fuzzy Hash: 1b5c98303e53a6854ef7c32807cf423d83e0e83dc439d022958a30544264a49e
Instruction Fuzzy Hash: EA318A75B00214ABDB00DFD5D882AAFB7B8EF08704F50446AF904FB281D7399D40D7A9

Function 00485F40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00485F69
htons.WS2_32(00000000), ref: 00485F8F
inet_addr.WS2_32(00000000), ref: 00485FA0
gethostbyname.WS2_32(00000000), ref: 00485FB5
connect.WS2_32(?,00000002,00000010), ref: 00485FD8

Strings

SOUND, xrefs: 00486016

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsinet_addrsocket
String ID: SOUND
API String ID: 2758610518-265945396
Opcode ID: 2cb1f141cd5c49f875004771a4018114f88d6b5d4e1e208129e86d4fa458a0af
Instruction ID: b144254ac8ecc6f49a75c77847817f2209d912285863e49d2354dc1b776f67d4
Opcode Fuzzy Hash: 2cb1f141cd5c49f875004771a4018114f88d6b5d4e1e208129e86d4fa458a0af
Instruction Fuzzy Hash: 71315E74600604AFDB10EBA5CC86F6F77A9EB89714F50843BB505E72E1D7789810CB59

Function 0044D1B0 Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Long$Prop$Unicode
String ID:
API String ID: 1693715928-0
Opcode ID: 0fac7224efcef0e86c53bd90891ffa8de72719c288afddcebd9547b64a95db78
Instruction ID: 870d7b9fba80d909d72d24a943b55cf57afb08b5bd731cf2e579d49592492411
Opcode Fuzzy Hash: 0fac7224efcef0e86c53bd90891ffa8de72719c288afddcebd9547b64a95db78
Instruction Fuzzy Hash: 05316775504204BBDF00DFA9CD84EAA37A8BB18364F14426AF914DB2A0D678E900CB68

Function 00482B34 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84threadsleepmemoryCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
RtlExitUserThread.NTDLL(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Thread$ExitUser$AllocCreateLocalSleep
String ID: p)H
API String ID: 205382184-2549212939
Opcode ID: a80da87ff1e73bc28b7644bdaa09c5f9996a6c934d98c52843a1a76ebecf666f
Instruction ID: bf14973b296dbd898b304faf9790d54e98c1f7480834556acc5c969932de2cc8
Opcode Fuzzy Hash: a80da87ff1e73bc28b7644bdaa09c5f9996a6c934d98c52843a1a76ebecf666f
Instruction Fuzzy Hash: F421D270644608AFEB01EF65CD42F6E77E8EB48704F60483BF904B72D1D6B8AD008B69

Function 00449834 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E3A4: 74D31540.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressD31540HandleModuleProc
String ID: $qA$ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 1396334358-220664750
Opcode ID: 0d97a52227134e47b9bf7452b25302d48b1f27c0742add7b0a67af76e61bc053
Instruction ID: a93832194650b3540e04aa494f4a9d3b54b7cefa1e230934a88febb79c7440a8
Opcode Fuzzy Hash: 0d97a52227134e47b9bf7452b25302d48b1f27c0742add7b0a67af76e61bc053
Instruction Fuzzy Hash: 13218E706082019BE715FB7ADC52B6B37A8AB96718B40013FB404E73D1DB7CAD04E65D

Function 00437BBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(00000000), ref: 00437BE4

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000001,004216E2,?,?,0042B4DA,00000008,00000060,00000048,00000000,0042B57F), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81

Part of subcall function 0040FA10: SetErrorMode.KERNEL32 ref: 0040FA1A
Part of subcall function 0040FA10: LoadLibraryA.KERNEL32(00000000,00000000,0040FA64,?,00000000,0040FA82), ref: 0040FA49

GetProcAddress.KERNEL32(?,KbdLayerDescriptor), ref: 00437C75
FreeLibrary.KERNEL32(?,00437CAF,?,00000000,00437CEF), ref: 00437CA2

Strings

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 00437C29
KbdLayerDescriptor, xrefs: 00437C6C
Layout File, xrefs: 00437C41

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
API String ID: 3365787578-2194312379
Opcode ID: 2b88126a0f4520e25a82f5c41262df8ea1c18c93d1c11cce69c3f150b5885a32
Instruction ID: 3dd7391f7c6f851bf46be3104fc741d671385897a1f138f514713a5a44896589
Opcode Fuzzy Hash: 2b88126a0f4520e25a82f5c41262df8ea1c18c93d1c11cce69c3f150b5885a32
Instruction Fuzzy Hash: DC21B274E04208AFCB11EFA5D95299EB7B6FF8D704F90947AE400A7650D73CA905CB68

Function 0041FF20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041FF2E
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

Strings

4PI, xrefs: 0041FF33

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID: 4PI
API String ID: 1797888035-1771581502
Opcode ID: 7e44043004774fc2fa5ed107ff81dac6efd4f0ebb9cde2c90c950d13309c5f0d
Instruction ID: ea62180bd67ea2655a2d729fb534156628def659346ffae691d532a91bbd1061
Opcode Fuzzy Hash: 7e44043004774fc2fa5ed107ff81dac6efd4f0ebb9cde2c90c950d13309c5f0d
Instruction Fuzzy Hash: C411C2317443006BD610EA79CCC2F9F73C8AF45B24F104A3BF654E72D1D678E986864A

Function 004442A8 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32 ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 6cb808043ec799ce6d142cfd6818718385bdb66353ee07f8ef48e87ada51ee1c
Instruction ID: b51619169152862e494bab1bd9cd2aabd8da2712daabcd4049ae248c8f1ac08c
Opcode Fuzzy Hash: 6cb808043ec799ce6d142cfd6818718385bdb66353ee07f8ef48e87ada51ee1c
Instruction Fuzzy Hash: A501D22120421075D6212F658D82F3FB6A8EFC4B59F40453FF9C4AA292EA3DCC01932E

Function 00404448 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

FPUMaskValue, xrefs: 00404494
&, xrefs: 00404476
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL$&
API String ID: 3677997916-897963132
Opcode ID: 166030d2d1aa8aae0688cd7852a0e5c7b62e02226967b94fe18ea4d0696d1e06
Instruction ID: 8996b5f54206d66871a04cf72f1bcd55ef108f6bf4bf99d44132976ec8c8988a
Opcode Fuzzy Hash: 166030d2d1aa8aae0688cd7852a0e5c7b62e02226967b94fe18ea4d0696d1e06
Instruction Fuzzy Hash: A701B5B5900308BAE711DBD19D42BF973ECEB48B04F104577BB04E29D0E6795950D65C

Function 0040F3A4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Resource$FindLoad
String ID: 0PI$DVCLAL
API String ID: 2619053042-2981686760
Opcode ID: 11aa13915ab47e4800454c0d78372b615ad1b2374bfd46017ae8eba7b05ab764
Instruction ID: 21f1df4665e6585a1bc63aad75ab048ec5abeb20943727226ac101720324ec8b
Opcode Fuzzy Hash: 11aa13915ab47e4800454c0d78372b615ad1b2374bfd46017ae8eba7b05ab764
Instruction Fuzzy Hash: 6B011D757403016BD620DB5AECC1F1733A8EBEA755B140076FE11EB692CA78AC068B29

Function 004564D0 Relevance: 9.2, APIs: 6, Instructions: 177COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 0045653C
EndPaint.USER32(00000000,?,004566F9,004565D6,?,00000000,?), ref: 004565D0

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: EndPaint.USER32(00000000,?,00455EB6), ref: 00455EA9

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Paint$Begin
String ID:
API String ID: 3787552996-0
Opcode ID: 95ec08e0ea46a350ec8412fd35fa276b3992f283e0b1b1fe99c91dcc30870285
Instruction ID: ba54978d8a76accaba9251eccd698e15939d291b1a8974ea29829a9457ff2739
Opcode Fuzzy Hash: 95ec08e0ea46a350ec8412fd35fa276b3992f283e0b1b1fe99c91dcc30870285
Instruction Fuzzy Hash: CE516371A00108BFCB00DFA9D951E9EB7F9EF49304F51406AF904E7256DB78AE05CB58

Function 00484B30 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475E2C: send.WSOCK32(00000000,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Sleepsend
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3569362012-992323826
Opcode ID: edb6eb458c1380df5f0b9521920cc591fbb72250e50f87fcd1ab301eb8c3db09
Instruction ID: 4dc3f21750824eb761b8ddbffe2b69eac43d88aacfe18e4a0d1c018291212bec
Opcode Fuzzy Hash: edb6eb458c1380df5f0b9521920cc591fbb72250e50f87fcd1ab301eb8c3db09
Instruction Fuzzy Hash: 91613034A0060A9FCB10FBA5D5819EEB7F5FF89304F51886AE800B7791D738AD41CB69

Function 0043EC18 Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80
EndPaint.USER32(?,?,0043EDF4), ref: 0043EDE0

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: bd5654e44538387235f788496d1a83f81909e7a7d0aed47606b8842c0d0d3158
Instruction ID: 791a0078e2b19a0cdf00cf67927d0bfb3d11a9ff5f7251d28017940130aac08b
Opcode Fuzzy Hash: bd5654e44538387235f788496d1a83f81909e7a7d0aed47606b8842c0d0d3158
Instruction Fuzzy Hash: E651FD74A05109EFCB10DBAAC589E9DB7F9AB48314F1591A6F408EB392C738AE45CF04

Function 004117E8 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?,00000000), ref: 004119A1

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction ID: 56e7be974e145dbdf24d11057acd3082f22e7a8583729f48528c280c05a6b93d
Opcode Fuzzy Hash: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction Fuzzy Hash: 9B51EC7590022D9BCB61DB59C891BD9B3FCAF48304F0041DAF609E7212D678AFC58F69

Function 00441160 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 004253D0: RtlEnterCriticalSection.NTDLL(00499A30), ref: 004253D8
Part of subcall function 004253D0: RtlLeaveCriticalSection.NTDLL(00499A30), ref: 004253E5
Part of subcall function 004253D0: RtlEnterCriticalSection.NTDLL(00000038), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,00000000,00441338,?,00000000,0044135B), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F
RestoreDC.GDI32(00000000,?), ref: 004412E5

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalRectSection$ColorEnterFill$ClipExcludeLeaveObjectRestoreSaveStock
String ID:
API String ID: 3001281481-0
Opcode ID: 217837fbf3a9bd6a06c3e796d742c275667895d3d49c3d6df1e429443568758f
Instruction ID: c4e04a309c28a4001c2c80d3d4d997d98b5031581d989019e0f34b0d4a3095b6
Opcode Fuzzy Hash: 217837fbf3a9bd6a06c3e796d742c275667895d3d49c3d6df1e429443568758f
Instruction Fuzzy Hash: 8051F974A00104EFDB40DFA9C985E9EB7F9BB49304F5540E6F404EB362CA78AD41CB59

Function 00401A0C Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,004019DA), ref: 00401AC3
Sleep.KERNEL32(0000000A,00000000,?,004019DA), ref: 00401AD9
Sleep.KERNEL32(00000000,?,?,?,004019DA), ref: 00401B07
Sleep.KERNEL32(0000000A,00000000,?,?,?,004019DA), ref: 00401B1D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ef251b9545fb198064ea3512c1ee2f9da540059c4816aee8c877f4aa09c806df
Instruction ID: 0c431259617cb9d74e53d2be59ec808ff93416f5b309ea3195937a398a0c087f
Opcode Fuzzy Hash: ef251b9545fb198064ea3512c1ee2f9da540059c4816aee8c877f4aa09c806df
Instruction Fuzzy Hash: AAC15A726016408FD716CF68E8C4716BBE1EB95310F2882BFE4059B3F6D778A941CB98

Function 004258EC Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938
SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: c4ccee4f487ba90d668899706d29f06526b2cd7f7153b6181cf69ee1bf7ae84a
Instruction ID: 81bb47dbdfc32cbbdc6fdef5b628dde2854f69910ed02703a0ac4bf5e0a11307
Opcode Fuzzy Hash: c4ccee4f487ba90d668899706d29f06526b2cd7f7153b6181cf69ee1bf7ae84a
Instruction Fuzzy Hash: 62F0BF757041109BCF01FFBAEAC6E0B679CAF443097404096B904DF29BCA38E810477A

Function 00448A94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Color$Text
String ID: 6B
API String ID: 657580467-4127139157
Opcode ID: 81d1818aea6d19e0595d1cd307410b55b7e5ca1a1f5949623886d4f481612452
Instruction ID: 6bc529a5eccb1f955ba1aaa618d20ba3ad597f5f47841333e2455c053005e396
Opcode Fuzzy Hash: 81d1818aea6d19e0595d1cd307410b55b7e5ca1a1f5949623886d4f481612452
Instruction Fuzzy Hash: 5851F871740114AFDB40EF69DDC2F9E37A9AF48318F50416AFA04EB386CA78EC418769

Function 0048DA48 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0
3, xrefs: 0048DACB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: de4336aeebc80715663fbf42346b2f456234e10abfb8800ea57e19441f9f51bf
Instruction ID: 3c8698a95295099e7773eda12b7d456ee7ba9a9c1c397da230e155ece48b36bf
Opcode Fuzzy Hash: de4336aeebc80715663fbf42346b2f456234e10abfb8800ea57e19441f9f51bf
Instruction Fuzzy Hash: 2A418070D042988EDB11EBA5C8957DEBBB8AF09304F1404FBE448F7282D7789E458F55

Function 00446EDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98timethreadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB
GetCurrentThreadId.KERNEL32 ref: 00446FE5
WaitMessage.USER32(00000000,00447029,?,?,?,02378130), ref: 00447009

Strings

4PI, xrefs: 00446FEA
TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CurrentCursorMessageThreadTimerWait
String ID: 4PI$TfD
API String ID: 3909455694-2665388893
Opcode ID: d3398b0d4299286fab3d3ebc7e731ec4ce436e3110c4dedfb8f2fd2e615eca5e
Instruction ID: 02ea40d705db833de404523f4eb9caf30b6421c57475094da6122cc77e9977b1
Opcode Fuzzy Hash: d3398b0d4299286fab3d3ebc7e731ec4ce436e3110c4dedfb8f2fd2e615eca5e
Instruction Fuzzy Hash: CC419530A08208EFFB11DF68E985B9EB7F5EB06304F6144BAE440A7391DB786D44CB59

Function 00482320 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85threadsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8
RtlExitUserThread.NTDLL(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417
@, xrefs: 004823BE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Thread$CreateExitSleepUser
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 109117123-696998096
Opcode ID: b19ec0970c7a19c74fddcc9309a9b84bf9cccbf89499dce76df7411564ce6ac1
Instruction ID: dac8b786dc4711ef7958a0d0fde63276d43ba23e6262d4ec867ffc253f1f534f
Opcode Fuzzy Hash: b19ec0970c7a19c74fddcc9309a9b84bf9cccbf89499dce76df7411564ce6ac1
Instruction Fuzzy Hash: 5A318F30A0420D9FDB00FBA1CA42A9EBBB5EF05B04F10497BE590B7292D7795E51CF69

Function 004827C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85threadsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C
RtlExitUserThread.NTDLL(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Thread$CreateExitSleepUser
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 109117123-491318438
Opcode ID: 42de27092773758683cee76bfceb05ba93f5d9755bff5fb230ec06535b0786b8
Instruction ID: 2629518abf078e329d9764aa694850172635a37c95095883a7ad8a545da6d5d7
Opcode Fuzzy Hash: 42de27092773758683cee76bfceb05ba93f5d9755bff5fb230ec06535b0786b8
Instruction Fuzzy Hash: 44319E70A042099BCF00FBA6CA42BDEBBB5EF49700F10497AE540B6282D7795E51CF69

Function 00483858 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85threadsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920
RtlExitUserThread.NTDLL(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F
@, xrefs: 004838F6

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Thread$CreateExitSleepUser
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 109117123-4253556105
Opcode ID: 42f0a1c2957b48f7db12a0605d88cc59a4fb094909fba9af75420654a8eed734
Instruction ID: f9d6cd39d9c23f0841c0acb005dd29cb950e3e8bcfb665bce00bd41e8d019a16
Opcode Fuzzy Hash: 42f0a1c2957b48f7db12a0605d88cc59a4fb094909fba9af75420654a8eed734
Instruction Fuzzy Hash: 0C317070A04209AFCB00FFA5C842A9EBBB5EF45B05F10497AE140B6291D7795E51CF59

Function 00431630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68clipboardCOMMON

Download Yara Rule

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Clipboard$DataEnumFormats
String ID: 84B
API String ID: 1256399260-4139892337
Opcode ID: 4219c04158b95b345db8d233863d4f11910d9c89ddc842dd24f410603c174a87
Instruction ID: ff5c98a8763761211607e77cacae524aff0688b704e0153d877757c2f50ea531
Opcode Fuzzy Hash: 4219c04158b95b345db8d233863d4f11910d9c89ddc842dd24f410603c174a87
Instruction Fuzzy Hash: B911E2707042049FCB00EBAAE99296AB7E8EF88318B14007BF404DB3E1DE399C018658

Function 00473D08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00473DAA), ref: 00473D47
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00473DAA), ref: 00473D56
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00473D82
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 00473D88

Strings

L9G, xrefs: 00473D66

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID: L9G
API String ID: 3919263394-1627255871
Opcode ID: 7a4f968ceea1c80c161ce31f524ed7d12ba7a9cf6897a16bee17ad6a486d7f6f
Instruction ID: 84e136a9889659cbc120cce4238abd922c707cfdc7fc235f052f83d4754a7617
Opcode Fuzzy Hash: 7a4f968ceea1c80c161ce31f524ed7d12ba7a9cf6897a16bee17ad6a486d7f6f
Instruction Fuzzy Hash: DF11A0B0A04204BFE720EB65CC82FAFB7BCDB45724F60407AF514B72D1D6B86E009669

Function 0042EA7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32 ref: 0042EB0A

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029,00000000,?,?,?,?,00000000,?,0040331C,00000000,00403349), ref: 004076AD

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Thread$CurrentFindProcessValue
String ID: OleMainThreadWndClass
API String ID: 973455579-3883841218
Opcode ID: b10ee7b4311bedd8a02f4c8b6a14b5cdc3576e2ebf8fd4ee16def8fe29f58f9b
Instruction ID: 3dc99f441cbbede9a6a90ceb584179f5b103827a6b127714019bffc55e4543cd
Opcode Fuzzy Hash: b10ee7b4311bedd8a02f4c8b6a14b5cdc3576e2ebf8fd4ee16def8fe29f58f9b
Instruction Fuzzy Hash: 6D01CC307016154EC620A767D845FAE32947B01358F8605BFF4116B2D3C77D5C41979A

Function 00401D90 Relevance: 7.7, APIs: 6, Instructions: 196sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,00000000,00401A02), ref: 00401E26
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00401A02), ref: 00401E40

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0658a26165dfe11a71e8e5bf91f1e6dfc6673b3b5ed921901ac69654fee218d3
Instruction ID: 280e6153d3f621d3339723179526883bd68d610e10723e7e5f411b5a6cdb0fe1
Opcode Fuzzy Hash: 0658a26165dfe11a71e8e5bf91f1e6dfc6673b3b5ed921901ac69654fee218d3
Instruction Fuzzy Hash: 8361CF716042408FE716DF68C984B1BBBD4EF95314F2882BFE8489B3E2D778D9418799

Function 0043D9A4 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,?,?), ref: 0043DA73
MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB05
MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB34
MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB63
MulDiv.KERNEL32(?,00000000,00000000), ref: 0043DB86

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427b3cb58f6961ef56a93255873bae8c1105c158471aa706a38dd43a19803bd1
Instruction ID: 30fdeedd186cb293460d9106d0277b40e192e7c44a4fa8c41a56d1ee01a12c62
Opcode Fuzzy Hash: 427b3cb58f6961ef56a93255873bae8c1105c158471aa706a38dd43a19803bd1
Instruction Fuzzy Hash: 6D81C334A04204EFDB44DBA9D589A9EB7F9AF48304F2541B6E808DB362DB34AE40DB54

Function 0043F914 Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 00407550: LoadStringA.USER32(00000000,0000FF91,?,00001000), ref: 00407582

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Menu$LoadStringWindow
String ID:
API String ID: 1738039741-0
Opcode ID: 5288ce882c23e549840cd028d49c9d4e5b7fcbd8b4b8055bbccc0491f5fdd421
Instruction ID: a2532ed296aaca44e1c6de19fdfe80cbd4cd99d3913609f125dfb974a20550da
Opcode Fuzzy Hash: 5288ce882c23e549840cd028d49c9d4e5b7fcbd8b4b8055bbccc0491f5fdd421
Instruction Fuzzy Hash: FB519FB0A043055ADB20AB39888676A67946F48708F04647FFC49AB397DE7CDC4C8759

Function 00434AE4 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 9059c8c7aad982c0553cd365936dd021185d668aba8fddca7e52af7508275176
Instruction ID: 4474ca1fe0641309f6af3567fdadf1a3f93f9cdaa9ed04adaee8a277695298db
Opcode Fuzzy Hash: 9059c8c7aad982c0553cd365936dd021185d668aba8fddca7e52af7508275176
Instruction Fuzzy Hash: 95519270A00604AFDB10EBA9C881BDFB7A5EF89324F55516AF850A7391C73CFD408B68

Function 00473208 Relevance: 7.6, APIs: 5, Instructions: 114networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WS2_32(?), ref: 004732AC
inet_ntoa.WS2_32(?), ref: 004732E8
closesocket.WS2_32(000000FF), ref: 00473319

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: inet_ntoa$Ioctlclosesocketsocket
String ID:
API String ID: 4072187599-0
Opcode ID: 48d4df02d0504f8eda764eb0a0579c01d6fbbdec3c354c22fd2baab0a400123d
Instruction ID: df59a71f5368ad083a9d17eb8c0d40df95f647edb997494a596d8df9614b4470
Opcode Fuzzy Hash: 48d4df02d0504f8eda764eb0a0579c01d6fbbdec3c354c22fd2baab0a400123d
Instruction Fuzzy Hash: D031F871A00A14AFDB21DF55CC41BDFB77AEB85714F108067FD04BB180DA796E059AA8

Function 004455EC Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000,00445518,00000000,?,?,02378130,00448275), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005,?,?,02378130,00448275), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Show$OwnedPopupsWindow$EnumWindows
String ID:
API String ID: 315437064-0
Opcode ID: 81f71630437b3a42195c352f3d05fd3ff7b259b932490981182b2dc959ae7826
Instruction ID: f765bda79f8973cc8f8af83c84ed5e2d9b390c63a9c03f4a47b8107340ee6d36
Opcode Fuzzy Hash: 81f71630437b3a42195c352f3d05fd3ff7b259b932490981182b2dc959ae7826
Instruction Fuzzy Hash: A6316531750A008BEF20EB3DC845F5673D6AB91329F55453FE45D8B2E3CA78AC858B08

Function 004878A4 Relevance: 7.6, APIs: 5, Instructions: 109memorythreadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0049C3A8), ref: 004878F3

Part of subcall function 00487318: RtlEnterCriticalSection.NTDLL(0049C3A8), ref: 00487347

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000,00000000,00000000,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879B4
RtlLeaveCriticalSection.NTDLL(0049C3A8), ref: 004879CB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$AllocCloseCreateHandleLeaveLocalThread
String ID:
API String ID: 1089455982-0
Opcode ID: 9cc05d7f378bd184611ca56150661b1d8701c114d5bea5d46de3e95f06d61272
Instruction ID: e068474e461a39b7e082ea5237c64619a375e42a34232f35b00c94968281a6c0
Opcode Fuzzy Hash: 9cc05d7f378bd184611ca56150661b1d8701c114d5bea5d46de3e95f06d61272
Instruction Fuzzy Hash: 8A414670A14209AFDB00FF95CC92A9EBBB5EF48704F60847BF514B6291D778AD018B59

Function 0042EB3C Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32 ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MessageWindow$MultipleObjectsThreadWait$CurrentDispatchFindPeekProcessTranslate
String ID:
API String ID: 2725875890-0
Opcode ID: 5e6a8f8f11a1ecece3c40051b1880d12c77f539d77dcc0a5b60d2b5d727fb8b3
Instruction ID: c27327caccafb5d17abbad0a0c6b679d28f0d30169e972cbd362b20f7aac55e0
Opcode Fuzzy Hash: 5e6a8f8f11a1ecece3c40051b1880d12c77f539d77dcc0a5b60d2b5d727fb8b3
Instruction Fuzzy Hash: 7B21B372700219ABDB10DEA6DC85FAF37ADEB49350F50053AFA05E7280D67DED4087A9

Function 00434924 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417d2e33efd8d1f4a4e13b39fe3434ad07656f76604e99a58816d22ffa866e7c
Instruction ID: f38e40545f3a6f7f33cc825dd442a49a2369967ec672df0a98496aff5399133a
Opcode Fuzzy Hash: 417d2e33efd8d1f4a4e13b39fe3434ad07656f76604e99a58816d22ffa866e7c
Instruction Fuzzy Hash: D51175B16012495ADB60AA7B89067DB27845FC970CF04216FBD919B383CF3CEC45C69C

Function 00428A00 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB

73A0A570.USER32(00000000), ref: 00428A3E
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00428AAF,?,?,?,?,00000000), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$Select$A570ColorDeleteTable
String ID:
API String ID: 1418124628-0
Opcode ID: 459ee56b8a0076c6d5f42f18b9545e0a98d32530f80f1c14435ed32ef1dec8e8
Instruction ID: 89e55e46c886e53e27e6994c94697f070aa226fdf736d19200dd4a213e954df7
Opcode Fuzzy Hash: 459ee56b8a0076c6d5f42f18b9545e0a98d32530f80f1c14435ed32ef1dec8e8
Instruction Fuzzy Hash: 4A115171E052196BDB10EBE9DC41AAEB3BCEF48704F4044BAF904E7682DA789D4087A4

Function 0046DD38 Relevance: 7.6, APIs: 5, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0046DDF8), ref: 0046DD73
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF,00000000,0046DDD6,?,00000000,00000000,000F003F,00000000,0046DDF8), ref: 0046DDA1
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,000F01FF,00000000,0046DDD6,?,00000000,00000000,000F003F,00000000,0046DDF8), ref: 0046DDB4
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,000F01FF,00000000,0046DDD6,?,00000000,00000000,000F003F,00000000,0046DDF8), ref: 0046DDBA
CloseServiceHandle.ADVAPI32(00000000,0046DDDD,?,00000000,00000000,000F01FF,00000000,0046DDD6,?,00000000,00000000,000F003F,00000000,0046DDF8), ref: 0046DDD0

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID:
API String ID: 1485051382-0
Opcode ID: 2f464f236cef4453b537482dff97950f1fb1000a7f10605753704b9d11f1f76e
Instruction ID: b2bf648e9c28990d28f84aa75d2ec1e2979c0b7f568cadef568eec4470b52009
Opcode Fuzzy Hash: 2f464f236cef4453b537482dff97950f1fb1000a7f10605753704b9d11f1f76e
Instruction Fuzzy Hash: BB114FB0E40708BFDB05EBA6CC52A6FBBB8EB49714F61447AB510E2681E6785900CB59

Function 0046DC70 Relevance: 7.6, APIs: 5, Instructions: 64serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0046DD2B), ref: 0046DCAB
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF,00000000,0046DD09,?,00000000,00000000,000F003F,00000000,0046DD2B), ref: 0046DCD9
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,000F01FF,00000000,0046DD09,?,00000000,00000000,000F003F,00000000,0046DD2B), ref: 0046DCE7
CloseServiceHandle.ADVAPI32(00000000,00000000,00000001,?,00000000,00000000,000F01FF,00000000,0046DD09,?,00000000,00000000,000F003F,00000000,0046DD2B), ref: 0046DCED
CloseServiceHandle.ADVAPI32(00000000,0046DD10,?,00000000,00000000,000F01FF,00000000,0046DD09,?,00000000,00000000,000F003F,00000000,0046DD2B), ref: 0046DD03

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ControlManager
String ID:
API String ID: 2705437689-0
Opcode ID: 26fe5fcf8b2d2be3ff56d615f19ce5581ed12070c42200f63a556ac302b65431
Instruction ID: f4a63c36d63dbc772f10b72078c2f0dd07b7d1baa284763727168e3553480a13
Opcode Fuzzy Hash: 26fe5fcf8b2d2be3ff56d615f19ce5581ed12070c42200f63a556ac302b65431
Instruction Fuzzy Hash: DE115174E40704BFDB11BBA6CC52A5FBBA8EB49714F514876F500A3681E67C5900CA59

Function 0040D5C0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 1d9e3c471f6307009a41c853857f32eee9842bf557f42afe10a4d8ba562254eb
Instruction ID: 81d9639949f410756d6313e91defad55bcab0c41faafb99bc3a7c6c2a0003a06
Opcode Fuzzy Hash: 1d9e3c471f6307009a41c853857f32eee9842bf557f42afe10a4d8ba562254eb
Instruction Fuzzy Hash: DF014270E446043BE701BAB58C13F6E726CCB86718FA00577F504F62C1D63DAE00826E

Function 00444B90 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32 ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004474C2,?,00447333), ref: 00444BD4
CloseHandle.KERNEL32(00000000,00000000,004474C2,?,00447333), ref: 00444BDF

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: ded9cf5d4c0aaa63f33caae6349075b6406390ce4da940f241fea10fa4a913be
Instruction ID: 3e8eafe7108706a14c16d133dd8fe74e483f53c30c189f57ff72eba54b12659a
Opcode Fuzzy Hash: ded9cf5d4c0aaa63f33caae6349075b6406390ce4da940f241fea10fa4a913be
Instruction Fuzzy Hash: 51F098719541449AEA60EBBD9D87B5A33D4A765315F10093FA410E72A1DE38A840CB1D

Function 00487488 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0049C3A8), ref: 004874B5
closesocket.WS2_32(00000000), ref: 0048761C

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalEnterSectionclosesocket
String ID: FpH
API String ID: 763151358-3698235444
Opcode ID: 66be2723a1daf2fc637343c0f7af1f304d50c6568caad62c1dcac5c4c178fabe
Instruction ID: 014d6c7dbf53fa4957d6004b34e39dadd5b8ac8b6e10eebb7e7ff919d5902d66
Opcode Fuzzy Hash: 66be2723a1daf2fc637343c0f7af1f304d50c6568caad62c1dcac5c4c178fabe
Instruction Fuzzy Hash: BD513474B049059FDB04FB99D4919AFB7B5EB88314B60853BB810B7395DA3CEC028F69

Function 0040D670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
ggg, xrefs: 0040D785
yyyy, xrefs: 0040D795

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 867fb0a8c754460a88f101de0f7bbe7a884297298cce2a16c97d7ecefaea5fb7
Instruction ID: cb2eded8d6144d77a806d5d67bbca697e16fcb31a7e26b9b51427538ed7a3ea7
Opcode Fuzzy Hash: 867fb0a8c754460a88f101de0f7bbe7a884297298cce2a16c97d7ecefaea5fb7
Instruction Fuzzy Hash: 7D41E626F0450447C711BAEA884227FB2EADB85304B64C53BE451F33C5DA3CDD0A9A6E

Function 00486094 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrshutdownsocket
String ID: @^H
API String ID: 1626636048-3554995626
Opcode ID: 653800a9f4583d8fcb12dfb61415bcc4dc947239afede3309b4cf51e5c0c4da3
Instruction ID: 668b0f3ef2f2a4112427f66f718cbb1b44d47742eec345053f3efa6125297b1b
Opcode Fuzzy Hash: 653800a9f4583d8fcb12dfb61415bcc4dc947239afede3309b4cf51e5c0c4da3
Instruction Fuzzy Hash: 78415934600215DFC710EF69C885BAAB7F0FF58308F1144BAF9049B752E739A950CB99

Function 0042A930 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000,00000000), ref: 0042A9F9
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: A570CreateDeleteHalftoneObjectPalette
String ID: (
API String ID: 1897567740-3887548279
Opcode ID: 76435e970d260e14dd08c51be940bbb79dde174e9ed0f333b875da88d7492688
Instruction ID: 0f431452e849f766b31d06aaa992442caf9d889f75fac56a221b4e007dd27547
Opcode Fuzzy Hash: 76435e970d260e14dd08c51be940bbb79dde174e9ed0f333b875da88d7492688
Instruction Fuzzy Hash: CD41F170B04218DFDB10DFA9D485A9EB7F2EF49304F9040ABE804A7391D6785E55CB4A

Function 0040499D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 00404BD7

Strings

@, xrefs: 00404B55
4L@, xrefs: 00404B94, 00404BAB, 00404B71, 00404B99, 00404BF2, 00404BF3, 00404BFB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: @$4L@
API String ID: 3192549508-816902871
Opcode ID: bcf9dde854f427948faed987d613c0c61148ceca2f936dc12a588ac8d5df3104
Instruction ID: ddf3432de19ff96cee22118ec311a003e8f7acb72d87259a3750d8c3bb1762ec
Opcode Fuzzy Hash: bcf9dde854f427948faed987d613c0c61148ceca2f936dc12a588ac8d5df3104
Instruction Fuzzy Hash: 0531AFB4608241AFE724EB15C884F2B77E5ABC4314F15857BE608A7291C738EC84CB2D

Function 0046F5E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C,?,00000000,?,00000000,0046F6B7), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$PlacementTextVisible
String ID: ,
API String ID: 2923846316-3772416878
Opcode ID: 4f9a84bd75cebfb5a29fa87980aa69aaaf6b0bc2d7d0fa8618ec36b973865d7c
Instruction ID: 7bb297613ceb2860488900fb4a1c389b1e2e6db9b347c16121d30143f119c7b1
Opcode Fuzzy Hash: 4f9a84bd75cebfb5a29fa87980aa69aaaf6b0bc2d7d0fa8618ec36b973865d7c
Instruction Fuzzy Hash: 5921A471900608BFDB10EFA1ED42A9F77BDEF44704F60007BB440B25A1EB789E059B59

Function 00473448 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(?,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

84G, xrefs: 00473468, 0047350F, 004734AF
DCSC, xrefs: 0047348E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID: 84G$DCSC
API String ID: 2790792615-1372800958
Opcode ID: f16ba62487e45c0bb3ae0f8d6507cde5dc0cd1ff2598c1b212a8927f2f2ad6f4
Instruction ID: cf760a81baa12cf792fcafcaf38ce4e630975f2ae3a29469885831bbb7575d69
Opcode Fuzzy Hash: f16ba62487e45c0bb3ae0f8d6507cde5dc0cd1ff2598c1b212a8927f2f2ad6f4
Instruction Fuzzy Hash: D0215EB0600604FFD714EF6ADC42B8E7BA4EB04704FA0847BB008A76D2C6786E409F5D

Function 004606CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 004606F6
gethostbyname.WS2_32(00000000), ref: 00460711

Strings

0.0.0.0, xrefs: 0046076C
%d.%d.%d.%d, xrefs: 0046075E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: cc9badf0c084f4eb49e4fcafe4880d7c8f8021d1ac39fbcf06db16789101aa94
Instruction ID: a68b14d7db89d42c4d62e482932328a85465348a4f87ba99872a8eef66d897d9
Opcode Fuzzy Hash: cc9badf0c084f4eb49e4fcafe4880d7c8f8021d1ac39fbcf06db16789101aa94
Instruction Fuzzy Hash: E011E2602083915FC3009A7A484032BBBC49F89349F14897FF894D7386E67CDE058FAB

Function 0043804C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 3120961b5f2aed66afb396d36cb665d9e3bb4654c350d2f2634c942cfb3d86d8
Instruction ID: 796bbc59969b9dd7a9d5bda8889d0a047799a05cf3daead4c937c16a65311190
Opcode Fuzzy Hash: 3120961b5f2aed66afb396d36cb665d9e3bb4654c350d2f2634c942cfb3d86d8
Instruction Fuzzy Hash: 161182312053005FD7109B29CC81B4BB6E4AF88364F14D62EF494DB3E6DB79D948C789

Function 0048C3E4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0048C473), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: _DCEntryPoint
API String ID: 145871493-2130044969
Opcode ID: dc9de319974c91b80f75a171a3fafd18a087cecb792355b11053285377cf0a19
Instruction ID: 0a300236071779ff74f1163fb28d1d435799c7cfefb16094ecf62a0a87b511dc
Opcode Fuzzy Hash: dc9de319974c91b80f75a171a3fafd18a087cecb792355b11053285377cf0a19
Instruction Fuzzy Hash: 44015270614608AFDB00FB71DCD295E77ACEB45704BA1487BA501A2692DA3CAE448B69

Function 0042E2E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect$B
API String ID: 1792783759-20189883
Opcode ID: c4233d62c1f5c8efbdee28eb20025ebbf54ff8a537a9b06a5da3890313890725
Instruction ID: dc5f8bef81080ac6e58aab0957e71af51fc3e882e0a54e95acd7cc2d2fad424f
Opcode Fuzzy Hash: c4233d62c1f5c8efbdee28eb20025ebbf54ff8a537a9b06a5da3890313890725
Instruction Fuzzy Hash: 97014F31700264DBE710CB5AEC86B56BB66E792766F88407BED05CB602C3789C40CBAD

Function 0042F9E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL,?,?,?,00447F98), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 0042FA31

Strings

DwmExtendFrameIntoClientArea, xrefs: 0042FA26
DWMAPI.DLL, xrefs: 0042FA09

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 2574300362-2956373744
Opcode ID: cbffe4edd2f2ef447d685c1bd5452ff904a6874e48ee84ebba24b8ca91363ddb
Instruction ID: fcf78170a3cf770167fa5f36a9b525ed706a05443091ba13c5a63d82eb46c79f
Opcode Fuzzy Hash: cbffe4edd2f2ef447d685c1bd5452ff904a6874e48ee84ebba24b8ca91363ddb
Instruction Fuzzy Hash: 1DF01D757002209FDB109BAEFC59B4736B4B7A9759F80403FA109972A1C37D2C48CB6D

Function 00489E08 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00489E55

Strings

open, xrefs: 00489E4E
cmd.exe, xrefs: 00489E49
/k , xrefs: 00489E36

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /k $cmd.exe$open
API String ID: 587946157-2943618638
Opcode ID: b36887bf7e4b0bcce89e05cb4c512ae014f10941a035e9d745ef3fa335c150bd
Instruction ID: 27d1b85cc062e7ddcf84c2f73e9695fc4a26b4e0be3d567abf4813233345782d
Opcode Fuzzy Hash: b36887bf7e4b0bcce89e05cb4c512ae014f10941a035e9d745ef3fa335c150bd
Instruction Fuzzy Hash: B4F04470610B04BBDB14FAA5CC52B6EBFA8DB85710F644476A404B26D1D7785E00DA59

Function 0042FA80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL,?,?,0042FB22,?,00447EFB), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 0042FAC9

Strings

DWMAPI.DLL, xrefs: 0042FAA1
DwmIsCompositionEnabled, xrefs: 0042FABE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 2574300362-2128843254
Opcode ID: 783662385db0a180f92178ad6978572c092378b63905f9447fe6834710138d35
Instruction ID: e865cc1d961e5560293b4342ba215906113c7bd0c8dbfb923edd7503eb684348
Opcode Fuzzy Hash: 783662385db0a180f92178ad6978572c092378b63905f9447fe6834710138d35
Instruction Fuzzy Hash: 90F0B7717112319FEB10ABA9F84975632B4B76C359F90043FA109962A1D2BD2C48CB5D

Function 0040F4AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 4cc31627e91733d5dd97eeb503830692a25aae6e0e406c6413c6a608c2f6e091
Instruction ID: 0d62609c0d87e9bc12772cdc487b7bb4e46ba53de1f656002390614a84bce5b3
Opcode Fuzzy Hash: 4cc31627e91733d5dd97eeb503830692a25aae6e0e406c6413c6a608c2f6e091
Instruction Fuzzy Hash: 17D05E64A003024AD330FBA2588570722EC8330348B10853BA820766E2DFBC98089F4E

Function 0042EC20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles), ref: 0042EC37

Strings

ole32.dll, xrefs: 0042EC21
CoWaitForMultipleHandles, xrefs: 0042EC31

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CoWaitForMultipleHandles$ole32.dll
API String ID: 1646373207-2593175619
Opcode ID: 71d1f1b6b167f0ea05a74daed833860a1450d6d2832c35c7f60d4bc4d4601477
Instruction ID: 1c707138d3e81649b15e1ce0dc5978dd8bf195319b8672649068bb032171cab6
Opcode Fuzzy Hash: 71d1f1b6b167f0ea05a74daed833860a1450d6d2832c35c7f60d4bc4d4601477
Instruction Fuzzy Hash: 3ED09E627053A15FEE00ABE7B8C57173679A750389B90443FA00135655C6BE58449F1D

Function 00447D54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,?,0048F661,00000000,0048F68F), ref: 00447D5A
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 00447D6B

Strings

SetLayeredWindowAttributes, xrefs: 00447D65
User32.dll, xrefs: 00447D55

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: SetLayeredWindowAttributes$User32.dll
API String ID: 1646373207-2510956139
Opcode ID: 090d732d3254e072cbed815f1791114cea1602195e41d2a072cbc7b457e1790c
Instruction ID: 89f74696c9515f1f60a5e00fa2cf8cc5b85ed691f8b843a35d7c72a9f99c385a
Opcode Fuzzy Hash: 090d732d3254e072cbed815f1791114cea1602195e41d2a072cbc7b457e1790c
Instruction Fuzzy Hash: 0CC02BD0FACB013AB2007FF10CD2A37215C4D4034C310043B700032182DBFCAC01025E

Function 004538D4 Relevance: 6.3, APIs: 4, Instructions: 308COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 00453A53
MulDiv.KERNEL32(?,?,?), ref: 00453A8E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5514173e82925ec4c98ad2bb0ac9fb75202ee9f8500419a3fe379c13f5386cd2
Instruction ID: 68ef9f1f88d9efa14826e557d27bb4446c81758090d7d15f2a4de284e0d97ae0
Opcode Fuzzy Hash: 5514173e82925ec4c98ad2bb0ac9fb75202ee9f8500419a3fe379c13f5386cd2
Instruction Fuzzy Hash: 3CD17C71A04A059FDB11CF69C484AABBBF2BF48302F108959E896DB356C734FE45CB51

Function 0044E40C Relevance: 6.2, APIs: 4, Instructions: 212COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044E481
GetDesktopWindow.USER32 ref: 0044E5B1
SetCursor.USER32(00000000), ref: 0044E5F1
SetCursor.USER32(00000000), ref: 0044E606

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CursorDesktopWindow
String ID:
API String ID: 3023140981-0
Opcode ID: a013222572b915d8e5b09eb8d8d6a2a35e4b0c757d133ba209ac07f97a746832
Instruction ID: a5c2cd3d377f16bec15173dc73fd2654dbd8fa8db2d02a07daf6c9dda43507f7
Opcode Fuzzy Hash: a013222572b915d8e5b09eb8d8d6a2a35e4b0c757d133ba209ac07f97a746832
Instruction Fuzzy Hash: 86912934601240AFE710DF3ED984A5A7BE1BBA9304F0585BFE8448B366DB78EC45CB59

Function 0044DE6C Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044E2B4: WindowFromPoint.USER32(-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E2BA
Part of subcall function 0044E2B4: GetParent.USER32(00000000), ref: 0044E2D1

GetWindow.USER32(00000000,00000004), ref: 0044DE8E
GetCurrentThreadId.KERNEL32 ref: 0044DF62
GetWindowRect.USER32(00000000,?), ref: 0044DF7F
IntersectRect.USER32(?,?,?), ref: 0044DFED

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000,?,00000000,?,004387ED,?,004378A9), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
String ID:
API String ID: 2049660638-0
Opcode ID: bd958141efdfbaeaca242a96d0172ba21c13b34d5ff0a38146969e9ba1a46992
Instruction ID: 9e25b0c4de8ac9593826e10cda60362fc30e97bb84d7d0ee3ed8c7429b952ba2
Opcode Fuzzy Hash: bd958141efdfbaeaca242a96d0172ba21c13b34d5ff0a38146969e9ba1a46992
Instruction Fuzzy Hash: B251AF31E001099FDB20DFA9C485AAEB7F4AF08354F1441AAF805EB351EB38ED05CB99

Function 00411444 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction ID: cab86c602b54948d4f88bb36a43d8803a5233357784664e1254e066218a73c04
Opcode Fuzzy Hash: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction Fuzzy Hash: D241FA75A0121D9FCB61DB59CC91BD9B3BDAF48714F0041DAE649E7222DA38AFC08F58

Function 0040D8AC Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: c69cc8a73fb96c924f201388a030d3378615ce6a01c282ac1113fb1fd46e56d4
Instruction ID: 1bfa35b3286bf150645f38c2bec688b4392a860aa3854ae67781de399f3d5790
Opcode Fuzzy Hash: c69cc8a73fb96c924f201388a030d3378615ce6a01c282ac1113fb1fd46e56d4
Instruction Fuzzy Hash: 16411371E002589BDB21DBA9CC85BDAB7B89B08304F0440FAA548F7291D778AF84CF59

Function 0040D8AA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 33710387fc01e37e6b501eb16bdd5be4669e32278954024dcf3041876f2921f7
Instruction ID: f85c759a6d19d1c43c30d787c81a7b7be61824bd6937ac9ab050fc02a3367429
Opcode Fuzzy Hash: 33710387fc01e37e6b501eb16bdd5be4669e32278954024dcf3041876f2921f7
Instruction Fuzzy Hash: D7412571E002589BD711DB99CC85BDAB7B89B08304F4440FAB548F7291D7789F84CF59

Function 00470B94 Relevance: 6.1, APIs: 4, Instructions: 73fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000), ref: 00470BDE
DragQueryFile.SHELL32(?,000000FF,00000000,00000000), ref: 00470BF0
DragQueryFile.SHELL32(?,00000000,?,00000105), ref: 00470C10
GlobalUnlock.KERNEL32(00000000), ref: 00470C56

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: DragFileGlobalQuery$ClipboardDataLockUnlock
String ID:
API String ID: 3712500663-0
Opcode ID: 1e5a6c0af4cfd364a4287fb39c28367ddd890438fc510a0449d5219834a1fa38
Instruction ID: f29ff63567113a161b16e310a4652d7eab08671450cbef5ddba763d9d47e18d3
Opcode Fuzzy Hash: 1e5a6c0af4cfd364a4287fb39c28367ddd890438fc510a0449d5219834a1fa38
Instruction Fuzzy Hash: 7A21A130A0060DAFDB25EBA6CC46BDEB6BDEF44704F5041B7B508E3191D678AE408A59

Function 00438710 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: e4fc4d16ca1a58d9dc919c03c4120a27049188f647e80e8b852713a3752e95c8
Instruction ID: 4445c07b309860435ed1900f1c8f07edae592b28bfc19ebe557ab8a263edd411
Opcode Fuzzy Hash: e4fc4d16ca1a58d9dc919c03c4120a27049188f647e80e8b852713a3752e95c8
Instruction Fuzzy Hash: 6D116075201214AFCB10EA698C819AFB7E99F49364F20546EF958D7381DA389D029764

Function 00445518 Relevance: 6.1, APIs: 4, Instructions: 71threadwindowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Process$CurrentThreadVisible
String ID:
API String ID: 3926708836-0
Opcode ID: cf774294026ba9430f0356ee9fe5f0d889c0a25b38098ac12d59c0f4c4171a0c
Instruction ID: b5c4deab8c7cf64f686ea7aced4f3fe8afeb05f275eae08bfe96d692e86abc19
Opcode Fuzzy Hash: cf774294026ba9430f0356ee9fe5f0d889c0a25b38098ac12d59c0f4c4171a0c
Instruction Fuzzy Hash: 9F216F71300600ABEF10EB6ADDC2D6A33EAAB50314B20407BF9019B357DE39ED45876C

Function 00443430 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004408B8), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 717edc08d492b10e977a01c39bd90696cad71758d24ca10dff8dc6b7536ce234
Instruction ID: fc9bd34a641e5069966aa1f9253d96bee2abad2aae9060c33e21484fe4320937
Opcode Fuzzy Hash: 717edc08d492b10e977a01c39bd90696cad71758d24ca10dff8dc6b7536ce234
Instruction Fuzzy Hash: 2711E7A0A0065436DB116F754C46B6A2A4C0B1572BF08057FBC95EA2C3CE7CCA48C76C

Function 00466888 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,004667A4,?), ref: 004668A9
UnregisterClassA.USER32(004667A4,00400000), ref: 004668D2
RegisterClassA.USER32(00492AC8), ref: 004668DC
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00466927

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 1361744953ea873d6b32f515f136a2e1fa596bcaa48eca3c214a597cd70c792d
Instruction ID: 3a7649a2c5b790901fc4f285049fbd28333fe9236c9632785a37b3f7d0da47cf
Opcode Fuzzy Hash: 1361744953ea873d6b32f515f136a2e1fa596bcaa48eca3c214a597cd70c792d
Instruction Fuzzy Hash: C201A1726441007BCB50EBA89E81F5B379DE718314F11413BF944E73D1DA79E845876D

Function 0042B29C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: b47afb5eb511aca4f03d9de83dda0e9554922f77b4baa286230760b7e4f4b8db
Instruction ID: 41c7b2879172756473c4c529f1409dbd5c07a41a3725de9276adf285cb9331a7
Opcode Fuzzy Hash: b47afb5eb511aca4f03d9de83dda0e9554922f77b4baa286230760b7e4f4b8db
Instruction Fuzzy Hash: 71111275B04208AFDB04DFA5D9818AEB7F9EF48300B5085AAFD04E7355DB34ED019A94

Function 00426210 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00429DA7,?,?,?,?,0042889B), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ObjectSelect$ColorDeleteTable
String ID:
API String ID: 3862836420-0
Opcode ID: 1ca0ea2a30b5f9ec87b67caa3006731a500d3e57da45ded6ae2804fad1160acf
Instruction ID: 2d406f2276c00154e1a94b7392b5cffd8c46c8785723cda12f88f537d4201806
Opcode Fuzzy Hash: 1ca0ea2a30b5f9ec87b67caa3006731a500d3e57da45ded6ae2804fad1160acf
Instruction Fuzzy Hash: EF018471708310A2E614B7669C43F6B72A98FC0718F15886FB584972C2E67C9C4452EF

Function 00450350 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000000,00000000), ref: 00450365
MulDiv.KERNEL32(?,00000000,00000000), ref: 00450382
MulDiv.KERNEL32(?,00000000,00000000), ref: 0045039F
MulDiv.KERNEL32(?,00000000,00000000), ref: 004503BC

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0466c361a850ab9f170d0962fd17ac30b440ff8ad54b3735b7d0dcb7ceaad6f0
Instruction ID: 43f1ab9f737733cb6dea97c24c6e81f1cc91a978def0eee6151f26c360f8f18d
Opcode Fuzzy Hash: 0466c361a850ab9f170d0962fd17ac30b440ff8ad54b3735b7d0dcb7ceaad6f0
Instruction Fuzzy Hash: 70018B2570820C2BD324BE276C44F5B3A5DDFC2714B00457EBE299B343E9ADEC0583A8

Function 00445334 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_000452BC), ref: 004453C2

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 78b51759b18893e656c0df72f3859838825290b8097ad2adc499b8842e77f762
Instruction ID: c8332a885479ae0c7b6d0aff87d2a3103102a9f6306b53b98315deba79dc9663
Opcode Fuzzy Hash: 78b51759b18893e656c0df72f3859838825290b8097ad2adc499b8842e77f762
Instruction Fuzzy Hash: F911C231604A10AFEB10AE28CC81F9A73D8AB41764F14067EFD98EB2D3C6B89C408765

Function 0040A404 Relevance: 6.1, APIs: 4, Instructions: 54timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 55d53cb21e89f1729f9ee26751a19f022f705f4629744f421492ba9ff8e64f2d
Instruction ID: 102ea568e68c1ca8e32db508c12b28ddf1adc9d8aabe648b82930bfe66b03b3c
Opcode Fuzzy Hash: 55d53cb21e89f1729f9ee26751a19f022f705f4629744f421492ba9ff8e64f2d
Instruction Fuzzy Hash: FB1161B2A042009FDB44DFA9C8C5C9773ECEF8830475185B7ED45DB24AE638E9118BA6

Function 0041C2D4 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 8ca1b039680916f72078d49da694da8b64f6d4e4b7ab777a64e8123957097da1
Instruction ID: dfa690896acbcf9ee164be46d0a5d467c7e272d6235caba40c78dbe5a7786a72
Opcode Fuzzy Hash: 8ca1b039680916f72078d49da694da8b64f6d4e4b7ab777a64e8123957097da1
Instruction Fuzzy Hash: EFF06D73A092046F9744EE9DAD81D9B77ECEE89364310406FFD18D7202DA38ED4147B9

Function 00484388 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000,004843E7,004843E0,?,00000001,00000000,00000000), ref: 004843DA

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Process$CloseCodeExitHandleOpenTerminate
String ID:
API String ID: 315287510-0
Opcode ID: ce343bc79c5ef81ed084953790ac9be7ad30bd2e3901011d5fe6fcbe84b8e51d
Instruction ID: 80d79d5a99ccd0432db7e52ddf200e3a7cb1bc2d7923bd238d1990a18f6c60dd
Opcode Fuzzy Hash: ce343bc79c5ef81ed084953790ac9be7ad30bd2e3901011d5fe6fcbe84b8e51d
Instruction Fuzzy Hash: ECF06276E08208BFEB00ABE59C42F9EB7ACD748714F600466F504E26C0D639AA40D769

Function 0044E254 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000,00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 78e71e4a8fa66b56695303ee18d46d26064ec84ef7aff1e3088a4be34412dfcf
Instruction ID: 108dc389ae2805b6527c23ce436246bf7dd19daa0d154bb0db40879b10eee470
Opcode Fuzzy Hash: 78e71e4a8fa66b56695303ee18d46d26064ec84ef7aff1e3088a4be34412dfcf
Instruction Fuzzy Hash: 6BF0EC6171552257EA6177B75D4147F118CBE41314310007FFC40D1146DE7CCC83A1BE

Function 0044D2F4 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 0044D301
GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
GlobalFindAtomA.KERNEL32(00000000,?,00000000,?,004387ED,?,004378A9), ref: 0044D31F
GetPropA.USER32(?,00000000), ref: 0044D336

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 9fea651bc6240c10730b5963b566c1d8990624d7601b5a7153bf010a8a0aa483
Instruction ID: 8b346ad22a70303e6149d652c663f91cf55635e126bd19d15ad37056d599129e
Opcode Fuzzy Hash: 9fea651bc6240c10730b5963b566c1d8990624d7601b5a7153bf010a8a0aa483
Instruction Fuzzy Hash: CDF03061B0521166E6207BFA5D8286F268C9A967A4340043FFD42E6243DD3CCC4143BE

Function 00444B1C Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 0ba0917f73b943ef282e26b4d9324e5c44894b2dc3e077c6b1217f8667371603
Instruction ID: ad5bdc25ec605e634095493db4c5df0f88b6d7af2749ec2c182bf55b4997a66e
Opcode Fuzzy Hash: 0ba0917f73b943ef282e26b4d9324e5c44894b2dc3e077c6b1217f8667371603
Instruction Fuzzy Hash: 88F0F470AC53487EF730AB699D47F2636D8D764B26F10503FF204791D1CAB868808B5E

Function 0042473C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00423A1C: RtlEnterCriticalSection.NTDLL(?), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CompareCreateCriticalEnterFontIndirectSectionString
String ID: Default
API String ID: 249151401-753088835
Opcode ID: b0279b78a1f9341c076f4f0069a384a9069793346afe2bfb10c1e9e31fb34e0c
Instruction ID: 0750ee8d3e70a248d072dd5e84d46cc935511a93ac2d9f6683bc49608a055191
Opcode Fuzzy Hash: b0279b78a1f9341c076f4f0069a384a9069793346afe2bfb10c1e9e31fb34e0c
Instruction Fuzzy Hash: 6761AF74A04298DFDB10DFA8E441B9EBBF5EF85304FA440AAE400A7352D3789E41CB69

Function 004870D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0049C3A8), ref: 00487110
RtlLeaveCriticalSection.NTDLL(0049C3A8), ref: 004872D4

Strings

FpH, xrefs: 004871DC, 00487289, 004871DF

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: FpH
API String ID: 3168844106-3698235444
Opcode ID: 8ea77f74b61230213ca5e5db63172e230dc18e19719e86902847ce990beb1337
Instruction ID: 0e7223337c94cfb4bbdb6a528d93948804825ba2dceaf412d13022da24981a28
Opcode Fuzzy Hash: 8ea77f74b61230213ca5e5db63172e230dc18e19719e86902847ce990beb1337
Instruction Fuzzy Hash: 32510D357045099FDF04EB95D851A9E77B5EB48304F60497AF800B7796DA38AC01CF79

Function 00404C5A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00404D2E

Strings

@, xrefs: 00404D07

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: @
API String ID: 3192549508-1615503679
Opcode ID: bb29aa22a639e20c03621917402b57045d4f19db46f9fbfaadd3a61db7a9670f
Instruction ID: 7b23b5d6ac3945664165a7832c2530b6031b764ca23a5f1e3c13a7e6695e3c5d
Opcode Fuzzy Hash: bb29aa22a639e20c03621917402b57045d4f19db46f9fbfaadd3a61db7a9670f
Instruction Fuzzy Hash: 5641A1B46082419FD320DF14D884B27B7E5EFC8714F25857AE645A73A1C739EC41CB69

Function 0045E7B4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: E
API String ID: 542301482-2089609516
Opcode ID: 87884c643e29fd276bfd511b14d9c6c9f445f3bacbf46f296f2b4dee0f39e316
Instruction ID: 647f1a6552efa59006bda00afc354c8ab4d2e0e5b4e9863a901f183eb340e257
Opcode Fuzzy Hash: 87884c643e29fd276bfd511b14d9c6c9f445f3bacbf46f296f2b4dee0f39e316
Instruction Fuzzy Hash: 88315330A14218ABDB14EB56D981B9F77E9EF48704F904067FD00A7382DB78EE058B99

Function 004630C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00492A3C,00000000,00000003,0049299C,00000000), ref: 0046315A

Strings

L*I, xrefs: 0046317F
<*I, xrefs: 00463154

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: <*I$L*I
API String ID: 542301482-935359969
Opcode ID: b89da7da2cbb2ca597b5a801ec7feb1d8cf07b6d662a62dae5cbea83b49e7390
Instruction ID: 8911b51016648177f69835b9ee16ab3db86079f14bfbda1bba152385d54be3c9
Opcode Fuzzy Hash: b89da7da2cbb2ca597b5a801ec7feb1d8cf07b6d662a62dae5cbea83b49e7390
Instruction Fuzzy Hash: 9E412C7091424D9FDB11DFA5DC42AEFBBF8FB09314F50457BE404B2291E7785A40CAAA

Function 0046E3F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?,00000000,0046E55E), ref: 0046E44B
SHGetPathFromIDList.SHELL32(?,?), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.COMBASE(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateFolderFromInstanceListLocationPathSpecial
String ID: .LNK
API String ID: 2911153413-2547878182
Opcode ID: 10eb596e800604c91217c1fdbc5244a3e4b3464b5b3a77631530c10e5f01bb46
Instruction ID: 34fc5f22480ae562584a80b72cbf4776a513aff26f6ff4faef366d8d945c011d
Opcode Fuzzy Hash: 10eb596e800604c91217c1fdbc5244a3e4b3464b5b3a77631530c10e5f01bb46
Instruction Fuzzy Hash: 1141DA75A00119AFCB10EF95C881ADEB7F8EF08314F5045BAA509E7291EB34AE548F69

Function 00472C70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D
drivers\etc\hosts, xrefs: 00472CD3, 00472D00

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: AttributesDirectoryFileSystem
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 1682718127-57959411
Opcode ID: 64b7010500cc72a18ad9423f95a9d2af5d36b7e90492c9edcba0d392981ac030
Instruction ID: 108433249ca9f77430d43611c146bd9a9555b6dd73c2718f9bf05e2fbe1fbb0f
Opcode Fuzzy Hash: 64b7010500cc72a18ad9423f95a9d2af5d36b7e90492c9edcba0d392981ac030
Instruction Fuzzy Hash: 2C318570A006189FDB11FF66CD426CEB7B9EF49304F5084BBE808B2291DB789F458E59

Function 004629C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

L*I, xrefs: 00462A60
<*I, xrefs: 00462A39

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: <*I$L*I
API String ID: 542301482-935359969
Opcode ID: 993177e28bb83657a4f0d7934c19b7b57de84426a20734aec35bf03e86f42b0c
Instruction ID: 57f55eabde9ec8a13629bfb0fd3d49ff740ad63e8caa479f115da8ad1b302003
Opcode Fuzzy Hash: 993177e28bb83657a4f0d7934c19b7b57de84426a20734aec35bf03e86f42b0c
Instruction Fuzzy Hash: 3331C170900609BFDB21DBA4DD56A9B77F8EB09314F5042B6F400A3291E7B8AD04CB6A

Function 004658F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: Virtual$FreeProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 2581862158-3584865983
Opcode ID: 6d8bacac02a381a1e960a19d1b5836a8290fd5d9c70f16fba2b36d910c6932ab
Instruction ID: cd89de6189cb887fe36dad8fb976eb45167b2a9217078df111c2bd8ce3794e6d
Opcode Fuzzy Hash: 6d8bacac02a381a1e960a19d1b5836a8290fd5d9c70f16fba2b36d910c6932ab
Instruction Fuzzy Hash: 5A3129B5704A01DFE700DB5DD885F5677E8AF08364F144156FA58DB3A1E338ED048B8A

Function 0040C028 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 0e142008d243cd8e910f29fac0d96562f194efd0a650c15bae631fbb907bfd48
Instruction ID: 806b1eedba5da343839ca0bbebfa815527dd4d282e64c7db681efa54e76182cb
Opcode Fuzzy Hash: 0e142008d243cd8e910f29fac0d96562f194efd0a650c15bae631fbb907bfd48
Instruction Fuzzy Hash: BC214475A00618DBDB11DB95C881AAF73B8EF48740F5141B7F944F72D2D6389E40CBA9

Function 00429480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00499A18), ref: 004294B3
RtlLeaveCriticalSection.NTDLL(00499A18), ref: 0042953C

Part of subcall function 00429EBC: RtlEnterCriticalSection.NTDLL(00499A18), ref: 00429F60
Part of subcall function 00429EBC: RtlLeaveCriticalSection.NTDLL(00499A18), ref: 00429F9E

Strings

6B, xrefs: 00429493

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: 6B
API String ID: 3168844106-4127139157
Opcode ID: fa09819f291eb57bd46da5037ae40dc2532e18dc65c2260e842156a19a9edc01
Instruction ID: c436ad2ceecef9db71b827f24a8bc2f81bdce238aadd300098659fb891615237
Opcode Fuzzy Hash: fa09819f291eb57bd46da5037ae40dc2532e18dc65c2260e842156a19a9edc01
Instruction Fuzzy Hash: 8021D631704254AFCB11DF9AD98299EB7F5EF48314FA041BBB40497791C638EE41CB48

Function 004889F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000000,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

MONSIZE, xrefs: 00488A65
H, xrefs: 00488A19

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: InfoMonitorsend
String ID: H$MONSIZE
API String ID: 1515828956-578782711
Opcode ID: 72244f0be063ac04e0557e46705f5e0299511308528ffb559c85dcab92249e03
Instruction ID: 69a88adad1f06505f68257dc375ca35d4bb91794e4be082188adddab23c78d66
Opcode Fuzzy Hash: 72244f0be063ac04e0557e46705f5e0299511308528ffb559c85dcab92249e03
Instruction Fuzzy Hash: 9D212C749403089FCB50EFE5CC81A9DBBB6FB48710F90853BE804AB299E7786915CF58

Function 00405026 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 004050A2
@, xrefs: 00405080

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: @$@
API String ID: 3192549508-55883348
Opcode ID: 49eacba880296758ea4d5c396df1383b101e9b56b834902ad2388b0bfa14426f
Instruction ID: fc8813f7c4006d62bdedb233a1bdc50888f087d7813f8b9b5ea1f2e80d04d4c2
Opcode Fuzzy Hash: 49eacba880296758ea4d5c396df1383b101e9b56b834902ad2388b0bfa14426f
Instruction Fuzzy Hash: 6C2181753046029BD724EF28D985B2F73A5EB84314F24853BA544AB3D5C73CDC81EB99

Function 00486374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-646448871
Opcode ID: e3df9752dd3ed717e697d17ee2e12eed816abab97c3186ef81cd29e82e1e1476
Instruction ID: 496fae78bc18a10eab856a829f5cdf73656815cb8b2cd1f4b2361e6db55a5dc6
Opcode Fuzzy Hash: e3df9752dd3ed717e697d17ee2e12eed816abab97c3186ef81cd29e82e1e1476
Instruction Fuzzy Hash: 2921A431A00659AFD750EB55CC41A9FB7B9EF44704F514576E800E3391E778AE008B58

Function 004049FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 00404BD7

Strings

@, xrefs: 00404B55
4L@, xrefs: 00404B94, 00404BAB, 00404B71, 00404B99, 00404BF2, 00404BF3, 00404BFB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: @$4L@
API String ID: 3192549508-816902871
Opcode ID: caa4d82db9daec3b3c07e8ef7f9ad3806a677642155a0105a709ddfc2c1d2d18
Instruction ID: 263020c684cbcbce8f69ac41b965c8aefdccc7cff18347826ae5d0ab130f056e
Opcode Fuzzy Hash: caa4d82db9daec3b3c07e8ef7f9ad3806a677642155a0105a709ddfc2c1d2d18
Instruction Fuzzy Hash: 2A216FB4204201AFD724EB15C885F2B77A5EBC4714F1685BEE61867291C738EC85CB6E

Function 00404B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 00404BD7

Strings

@, xrefs: 00404B55
4L@, xrefs: 00404B94, 00404BAB, 00404B71, 00404B99, 00404BF2, 00404BF3, 00404BFB

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: @$4L@
API String ID: 3192549508-816902871
Opcode ID: b44e5297991d1dd41d4fba917c9ceeae5b5d61fd0bded67d4bd70d17625b6e2c
Instruction ID: a14102534a051e1492d63c073f8199e74a898bb776db94212624cb5022724b4c
Opcode Fuzzy Hash: b44e5297991d1dd41d4fba917c9ceeae5b5d61fd0bded67d4bd70d17625b6e2c
Instruction Fuzzy Hash: BD214FB4604201AFD724EB15C885F2B77E5EBC4714F1685BEE61867291C738EC84CB6A

Function 004843EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: OpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 3743895883-185273294
Opcode ID: 304f6b08deb962b867f2aa81b700bab919cc9f0c86b1c6fe58f0d5fc0cec51f4
Instruction ID: 0e9250b89d192693a19e77b94bf17b31f02fd69c186701225a5d025e1deeb9cf
Opcode Fuzzy Hash: 304f6b08deb962b867f2aa81b700bab919cc9f0c86b1c6fe58f0d5fc0cec51f4
Instruction Fuzzy Hash: 1E012D317042059BD710F6AA8C42BAE739CEBC8B18F5048BBB644E3681EA7C4E406699

Function 0048DD0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

, xrefs: 0048DD39
%d%, xrefs: 0048DD5C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: 97806e5b538e135393ce6a78ab8842bad608ce51c9f6ad6b18a75f971ad60eb4
Instruction ID: 88439d9c2eabed4357755c85552f3f5cbe81af8dfb1ea63edeeefc1de5b012bb
Opcode Fuzzy Hash: 97806e5b538e135393ce6a78ab8842bad608ce51c9f6ad6b18a75f971ad60eb4
Instruction Fuzzy Hash: 49118E70914608AFDB05EFA5D8519DEBBF8EB4D714F91887AE400F26C0E73869008A39

Function 00488B18 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000,00000000,0000000A,00000000,00000008,00000000,00000000,00000000,00000000,00000000,00488BAC,?,?), ref: 00488B85

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: DisplayEnumMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 2950131505-707749442
Opcode ID: 5cf52360925013a012bee43cefa1aafbdb159de8ad873aa000c0ef30290eac26
Instruction ID: f8454c744632a5d9dd25941c0746c42edd378387c74cb8ef01bea56b6289b09f
Opcode Fuzzy Hash: 5cf52360925013a012bee43cefa1aafbdb159de8ad873aa000c0ef30290eac26
Instruction Fuzzy Hash: 710152B06847007BD220B761DC53F1E7699E744B04FE0497BF500BA1D2DAB87D01479D

Function 0042E408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: a47c1597381401e51e94666345cb70981a850344e4d3901735e21b202ebda570
Instruction ID: 9e16766aa2413ea816577c049e68cd25a8b85d073714f7d506ef38c7e5fa7f27
Opcode Fuzzy Hash: a47c1597381401e51e94666345cb70981a850344e4d3901735e21b202ebda570
Instruction Fuzzy Hash: F601A2317001646FEB00AF5BFC84BAA7B95E7A8764F80417BF9448B621C3789C4187AC

Function 004319C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43clipboardCOMMON

Download Yara Rule

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: ClipboardEnumFormats
String ID: 84B
API String ID: 3947025145-4139892337
Opcode ID: c63f49fb1886e2b1f147f13b5ba5209d00846f9c58fea2e06627953741474055
Instruction ID: 3628f62a9b186bddbe54625d6d21312597d8aeebedd1f1e325a79ba2d7dfa65b
Opcode Fuzzy Hash: c63f49fb1886e2b1f147f13b5ba5209d00846f9c58fea2e06627953741474055
Instruction Fuzzy Hash: 30012630308340AFC701EF29D864B1ABBE4EF4C301F5090A5F840CB361CA39ED05C654

Function 0042E258 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 29632c1f1f1651f1fdee0b4de2e99c53191e728fa23b5aa8bcdbd8e2ca964af5
Instruction ID: 35cbc800387b3f33683e7bde51bbe078039ce3788c5fde251ffaa49140f5f3f2
Opcode Fuzzy Hash: 29632c1f1f1651f1fdee0b4de2e99c53191e728fa23b5aa8bcdbd8e2ca964af5
Instruction Fuzzy Hash: A1F06D30704560CAEA108A7BBCC5366354EE7A2330BE04BBFA1134ABE5D63C8C41927E

Function 0041897C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00418558), ref: 004189AB

Strings

luA, xrefs: 004189B0
\tA, xrefs: 0041899A

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID: \tA$luA
API String ID: 32694325-2973209611
Opcode ID: 97a0df99a22ee3d664e17a658e14c5389a89957f4968412f7a025c56f55cad77
Instruction ID: 5de4e579f7436390d2bac92cc1d5fd88463d867d68e90a910c01b3743f8c3115
Opcode Fuzzy Hash: 97a0df99a22ee3d664e17a658e14c5389a89957f4968412f7a025c56f55cad77
Instruction Fuzzy Hash: BFF068F270050157C210EB6A9841AD777926BC535CB08863AE514CB792EB3EAC458799

Function 00437D9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00437DB7
GetKeyState.USER32(00000011), ref: 00437DC8

Strings

, xrefs: 00437DD7

Memory Dump Source

Source File: 00000000.00000002.2017820559.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2017796473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.0000000000499000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.000000000049D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2017820559.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2018044187.00000000004B6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_test.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 73d6683b3c4f6cbaf8ab48c12f1d385a28f49bb83da3a75bd13f313b58d706c6
Instruction ID: 96106ebb9835652182e450bae9324755592d7fe799d8fb174ce82df5cd5e6f47
Opcode Fuzzy Hash: 73d6683b3c4f6cbaf8ab48c12f1d385a28f49bb83da3a75bd13f313b58d706c6
Instruction Fuzzy Hash: 46E022B2708B4202E62376692C017F727A14F463A8F08426FBEC02A1C1E99E0A0250A6

Analysis Process: ChromeCookie.exePID: 6484, Parent PID: 5740COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004054B4 Relevance: 1.5, APIs: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0000047C,00000000,?,?), ref: 00405504

Memory Dump Source

Source File: 00000008.00000002.3264582906.0000000000405000.00000040.00000001.01000000.00000006.sdmp, Offset: 00405000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_405000_ChromeCookie.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5ba212015354f8809fa21e50a548c5a899824dc0bf1f36076e6e3181397b3a2b
Instruction ID: 82965a1724c5dce4971d523c65c682e38f6bbf83b2d7d0d4f8b6b7f7581d9b19
Opcode Fuzzy Hash: 5ba212015354f8809fa21e50a548c5a899824dc0bf1f36076e6e3181397b3a2b
Instruction Fuzzy Hash: 92F0F972204104AFD3009B5E9885A9BBBACEB98755F20817BF508D72A1D6759C858BA4

Function 004054B2 Relevance: 1.5, APIs: 1, Instructions: 35
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0000047C,00000000,?,?), ref: 00405504

Memory Dump Source

Source File: 00000008.00000002.3264582906.0000000000405000.00000040.00000001.01000000.00000006.sdmp, Offset: 00405000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_405000_ChromeCookie.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 76eac5e47358ed49c090876229090dcdca953c32e6c4f96fe0d65551cd1f3258
Instruction ID: 6023cd4e370bf6d95665890e42e4d60829662180bf89ab34331310683abd40d6
Opcode Fuzzy Hash: 76eac5e47358ed49c090876229090dcdca953c32e6c4f96fe0d65551cd1f3258
Instruction Fuzzy Hash: FDF05E72204108BFD300DB5DAC85EAB77ACDB98361F20817BF508D7291D275AC818B64

Function 00405514 Relevance: 1.5, APIs: 1, Instructions: 10
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExitUserThread.NTDLL ref: 00405529

Memory Dump Source

Source File: 00000008.00000002.3264582906.0000000000405000.00000040.00000001.01000000.00000006.sdmp, Offset: 00405000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_405000_ChromeCookie.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: d87d66e1dede5e547b0845b8255d60d2f9429177fde671b8cecfd70b9f0d1484
Instruction ID: bb2650ac1d7f9bedbb80645de66c7b561e2e4807d69529290af58a20603d9934
Opcode Fuzzy Hash: d87d66e1dede5e547b0845b8255d60d2f9429177fde671b8cecfd70b9f0d1484
Instruction Fuzzy Hash: B5C09B75200341D7C30037B57DCC70721685719346F40587F7112E56B2D67D84D5CF28

Analysis Process: notepad.exePID: 7172, Parent PID: 6484COMMON

Execution Graph

Execution Coverage:	33.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00620000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180
synchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 006200E5
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00620123
CloseHandle.KERNELBASE(00000000), ref: 00620185
Sleep.KERNELBASE(000001F4), ref: 0062018D

Strings

D, xrefs: 00620136

Memory Dump Source

Source File: 0000000B.00000002.3264210429.0000000000620000.00000040.00000400.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_620000_notepad.jbxd

Similarity

API ID: CreateMutex$CloseHandleSleep
String ID: D
API String ID: 568694521-2746444292
Opcode ID: 6d01b8f3b7773269d6ab6984cc4343c29c1ea18cd121e00fea5f86dcc2d561e3
Instruction ID: 311aa062b8d5d064f8e21abe61209bf3877e77e757602ef86444e0cc56d2240b
Opcode Fuzzy Hash: 6d01b8f3b7773269d6ab6984cc4343c29c1ea18cd121e00fea5f86dcc2d561e3
Instruction Fuzzy Hash: 28513FB1900610AFDF94AFE8C9CDB5A7BACAF09711B544594FE0ACF24ADB34D840CB61

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkComet

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe

C:\Users\user\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
test.exe

Function 00406C2C Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Function 0048AEA8 Relevance: 9.1, APIs: 6, Instructions: 108
COMMON

Function 0048DDE0 Relevance: 7.6, APIs: 5, Instructions: 54
COMMON

Function 004458CC Relevance: 19.9, APIs: 13, Instructions: 386
COMMON

Function 004450B4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131
windowregistryCOMMON

Function 0045DAE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre